CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0338 – Buffer Overflow Vulnerability in XAMPP
https://notcve.org/view.php?id=CVE-2024-0338
02 Feb 2024 — A buffer overflow vulnerability has been found in XAMPP affecting version 8.2.4 and earlier. An attacker could execute arbitrary code through a long file debug argument that controls the Structured Exception Handler (SEH). Se encontró una vulnerabilidad de desbordamiento de búfer de almacenamiento dinámico en XAMPP que afecta a la versión 8.2.4 y anteriores. Un atacante podría ejecutar código arbitrario a través de un argumento de depuración de archivo largo que controla el controlador de excepciones estruc... • https://www.incibe.es/en/incibe-cert/notices/aviso/buffer-overflow-vulnerability-xampp • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 1CVE-2022-47637
https://notcve.org/view.php?id=CVE-2022-47637
12 Sep 2023 — The installer in XAMPP through 8.1.12 allows local users to write to the C:\xampp directory. Common use cases execute files under C:\xampp with administrative privileges. El instalador en XAMPP hasta 8.1.12 permite a los usuarios locales escribir en el directorio C:\xampp. Los casos de uso comunes ejecutan archivos en C:\xampp con privilegios administrativos. • https://shinnai.altervista.org/exploits/DVRT-2023-0001_CVE-2022-47637.pdf • CWE-281: Improper Preservation of Permissions •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-29376
https://notcve.org/view.php?id=CVE-2022-29376
23 May 2022 — Xampp for Windows v8.1.4 and below was discovered to contain insecure permissions for its install directory, allowing attackers to execute arbitrary code via overwriting binaries located in the directory. Se ha detectado que Xampp para Windows versiones v8.1.4 y anteriores, contiene permisos no seguros para su directorio de instalación, lo que permite a atacantes ejecutar código arbitrario por medio de la escritura excesiva de binarios ubicados en el directorio • https://github.com/ycdxsb/Vuln/blob/main/Xampp-Install-Dir-Incorrect-Default-Permission/Xampp-Install-Dir-Incorrect-Default-Permission.md • CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 1%CPEs: 4EXPL: 5CVE-2020-11107 – XAMPP 7.4.3 - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2020-11107
02 Apr 2020 — An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution. Se detectó un problema en XAMPP versiones anteriores a 7.2.29, versiones 7.3.x anteriores a 7.3.16 y versiones 7.4.x anteriores a 7.4.4 en Windows. Un usuario no privilegiado puede cambiar una configuración de .exe en xampp-contol.ini para todos los usuarios (in... • https://packetstorm.news/files/id/164292 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 4CVE-2019-8924 – XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-8924
19 Feb 2019 — XAMPP through 5.6.8 allows XSS via the cds-fpdf.php interpret or titel parameter. NOTE: This product is discontinued. XAMPP a través de la versión 5.6.8 permite una vulnerabilidad de XSS por medio del archivo cds-fpdf.php en el parámetro interpret o titel. NOTA: Este producto está suspendido. XAMPP version 5.6.8 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://packetstorm.news/files/id/151756 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 3CVE-2019-8923 – XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-8923
19 Feb 2019 — XAMPP through 5.6.8 and previous allows SQL injection via the cds-fpdf.php jahr parameter. NOTE: This product is discontinued. En XAMPP hasta la versión 5.6.8 y anterior, permite la inyección de SQL por medio del parámetro cds-fpdf.php jahr. NOTA: Este producto está descatalogado. XAMPP version 5.6.8 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://packetstorm.news/files/id/151756 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2008-6499 – XAMPP 1.6.8 - Cross-Site Request Forgery (Change Administrative Password)
https://notcve.org/view.php?id=CVE-2008-6499
20 Mar 2009 — security/xamppsecurity.php in XAMPP 1.6.8 performs an extract operation on the SERVER superglobal array, which allows remote attackers to spoof critical variables, as demonstrated by setting the REMOTE_ADDR variable to 127.0.0.1. security/xamppsecurity.php en XAMPP v1.6.8 realiza una operación "extract" en el array superglobal SERVER, lo cual permite a atacantes remotos suplantar variables críticas, como lo demostrado a través del establecimiento de la variable REMOTE_ADDR de 127.0.0.1. • https://www.exploit-db.com/exploits/7384 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2008-6498 – XAMPP 1.7.2 - Change Administrative Password
https://notcve.org/view.php?id=CVE-2008-6498
20 Mar 2009 — Cross-site request forgery (CSRF) vulnerability in security/xamppsecurity.php in XAMPP 1.6.8 allows remote attackers to hijack the authentication of users for requests that change a certain .htaccess password via the xampppasswd parameter. La vulnerabilidad de tipo cross-site request forgery (CSRF) en el archivo security/xamppsecurity.php en XAMPP versión 1.6.8, permite a los atacantes remotos secuestrar la autenticación de usuarios para las peticiones que cambian una determinada contraseña de .htaccess por... • https://www.exploit-db.com/exploits/10391 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 1%CPEs: 109EXPL: 0CVE-2009-0919
https://notcve.org/view.php?id=CVE-2009-0919
16 Mar 2009 — XAMPP installs multiple packages with insecure default passwords, which makes it easier for remote attackers to obtain access via (1) the "lampp" default password for the "nobody" account within the included ProFTPD installation, (2) a blank default password for the "root" account within the included MySQL installation, (3) a blank default password for the "pma" account within the phpMyAdmin installation, and possibly other unspecified passwords. NOTE: this was originally reported as a problem in DFLabs PTK... • http://ptk.dflabs.com/security.html • CWE-255: Credentials Management Errors •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2008-4450
https://notcve.org/view.php?id=CVE-2008-4450
06 Oct 2008 — Cross-site scripting (XSS) vulnerability in adodb.php in XAMPP for Windows 1.6.8 allows remote attackers to inject arbitrary web script or HTML via the (1) dbserver, (2) host, (3) user, (4) password, (5) database, and (6) table parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Una vulnerabilidad de secuencias de comándos en sitios cruzados (XSS) en adodb.php en XAMPP para Windows 1.6.8 permite a atacantes remotos inyectar secuencia... • http://secunia.com/advisories/32134 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •