CVE-2008-1350 – Fully Modded phpBB - 'kb.php' SQL Injection
https://notcve.org/view.php?id=CVE-2008-1350
SQL injection vulnerability in kb.php in Fully Modded phpBB (phpbbfm) 80220 allows remote attackers to execute arbitrary SQL commands via the k parameter in an article action. Vulnerabilidad de inyección SQL en kb.php en Fully Modded phpBB (phpbbfm) 80220, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro "k" en una acción article. • https://www.exploit-db.com/exploits/5243 http://secunia.com/advisories/29339 http://securityreason.com/securityalert/3745 http://www.securityfocus.com/archive/1/489468/100/0/threaded http://www.securityfocus.com/bid/28225 https://exchange.xforce.ibmcloud.com/vulnerabilities/41192 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-1305 – phpBB Mod FileBase 2.0 - 'id' SQL Injection
https://notcve.org/view.php?id=CVE-2008-1305
SQL injection vulnerability in filebase.php in the Filebase mod for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter. Vulnerabilidad de inyección SQL en filebase.php en el módulo Filebase para phpBB permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro id. • https://www.exploit-db.com/exploits/5236 http://www.securityfocus.com/bid/28194 https://exchange.xforce.ibmcloud.com/vulnerabilities/41137 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-1171
https://notcve.org/view.php?id=CVE-2008-1171
Multiple PHP remote file inclusion vulnerabilities in the 123 Flash Chat Module for phpBB allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) 123flashchat.php and (2) phpbb_login_chat.php. NOTE: CVE disputes this issue because $phpbb_root_path is explicitly set to "./" in both programs ** CUESTIONADA ** Múltiples vulnerabilidades de inclusión remota de archivo en PHP en el módulo 123 Flash Chat para phpBB permiten a atacantes remotos ejecutar código PHP de su elección a través de un URL en el parámetro phpbb_root_path de (1) 123flashchat.php y (2) phpbb_login_chat.php. NOTA: CVE cuestiona esta cuestión porque $phpbb_root_path es explícitamente establecido en "./" en ambos programas. • http://securityreason.com/securityalert/3716 http://www.attrition.org/pipermail/vim/2008-March/001913.html http://www.securityfocus.com/archive/1/488914/100/0/threaded http://www.securityfocus.com/archive/1/488922/100/0/threaded • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2008-0471
https://notcve.org/view.php?id=CVE-2008-0471
Cross-site request forgery (CSRF) vulnerability in privmsg.php in phpBB 2.0.22 allows remote attackers to delete private messages (PM) as arbitrary users via a deleteall action. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en privmsg.php en phpBB 2.0.22 permite a atacantes remotos borrar mensajes privados (PM) como un usuario de su elección a través de una acción deleteall. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463589 http://secunia.com/advisories/28630 http://secunia.com/advisories/28871 http://securityreason.com/securityalert/3585 http://www.debian.org/security/2008/dsa-1488 http://www.securityfocus.com/archive/1/487004/100/0/threaded • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2007-6223 – phpBB Garage 1.2.0 Beta3 - SQL Injection
https://notcve.org/view.php?id=CVE-2007-6223
SQL injection vulnerability in garage.php in phpBB Garage 1.2.0 Beta3 allows remote attackers to execute arbitrary SQL commands via the make_id parameter in a search action in browse mode. Vulnerabilidad de inyección SQL en garage.php en phpBB Garage 1.2.0 Beta3 permite a atacantes remotos ejecutar comandos SQL a través del parámetro make_id en una acción de búsqueda en modo navegador. • https://www.exploit-db.com/exploits/4686 http://www.securityfocus.com/bid/26683 https://exchange.xforce.ibmcloud.com/vulnerabilities/38832 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •