Filtered by vendor Francisco Burzi
Subscriptions
Filtered by product Php-nuke
Subscriptions
Total
96 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2005-4715 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
Multiple SQL injection vulnerabilities in modules.php in PHP-Nuke 7.8, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) sid, and (3) pid parameters in a POST request, which bypasses security checks that are performed for GET requests. | ||||
CVE-2006-0676 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
Cross-site scripting (XSS) vulnerability in header.php in PHP-Nuke 6.0 to 7.8 allows remote attackers to inject arbitrary web script or HTML via the pagetitle parameter. | ||||
CVE-2006-0805 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
The CAPTCHA functionality in php-Nuke 6.0 through 7.9 uses fixed challenge/response pairs that only vary once per day based on the User Agent (HTTP_USER_AGENT), which allows remote attackers to bypass CAPTCHA controls by fixing the User Agent, performing a valid challenge/response, then replaying that pair in the random_num and gfx_check parameters. | ||||
CVE-2000-0745 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke administrator password, which allows remote attackers to gain privileges by requesting a URL that does not specify the aid or pwd parameter. | ||||
CVE-2006-0908 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
PHP-Nuke 7.8 Patched 3.2 allows remote attackers to bypass SQL injection protection mechanisms via /%2a (/*) sequences with the "ad_click" word in the query string, as demonstrated via the kala parameter. | ||||
CVE-2006-1846 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
Cross-site scripting (XSS) vulnerability in the Your_Account module in PHP-Nuke 7.8 might allows remote attackers to inject arbitrary HTML and web script via the ublock parameter, which is saved in the user's personal menu. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. In addition, it is unclear whether this issue is a vulnerability, since it is related to the user's personal menu, which presumably is not modifiable by others. | ||||
CVE-2006-1847 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
SQL injection vulnerability in the Your_Account module in PHP-Nuke 7.8 might allows remote attackers to execute arbitrary SQL commands via the user_id parameter in the Your_Home functionality. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||||
CVE-2006-0907 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
SQL injection vulnerability in PHP-Nuke before 7.8 Patched 3.2 allows remote attackers to execute arbitrary SQL commands via encoded /%2a (/*) sequences in the query string, which bypasses regular expressions that are intended to protect against SQL injection, as demonstrated via the kala parameter. | ||||
CVE-2001-0001 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
cookiedecode function in PHP-Nuke 4.4 allows users to bypass authentication and gain access to other user accounts by extracting the authentication information from a cookie. | ||||
CVE-2001-0292 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
PHP-Nuke 4.4.1a allows remote attackers to modify a user's email address and obtain the password by guessing the user id (UID) and calling user.php with the saveuser operator. | ||||
CVE-2001-0320 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
bb_smilies.php and bbcode_ref.php in PHP-Nuke 4.4 allows remote attackers to read arbitrary files and gain PHP administrator privileges by inserting a null character and .. (dot dot) sequences into a malformed username argument. | ||||
CVE-2001-0321 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
opendir.php script in PHP-Nuke allows remote attackers to read arbitrary files by specifying the filename as an argument to the requesturl parameter. | ||||
CVE-2001-0383 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
banners.php in PHP-Nuke 4.4 and earlier allows remote attackers to modify banner ad URLs by directly calling the Change operation, which does not require authentication. | ||||
CVE-2001-0854 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
PHP-Nuke 5.2 allows remote attackers to copy and delete arbitrary files by calling case.filemanager.php with admin.php as an argument, which sets the $PHP_SELF variable and makes it appear that case.filemanager.php is being called by admin.php instead of the user. | ||||
CVE-2001-0911 | 2 Francisco Burzi, Postnuke Software Foundation | 2 Php-nuke, Postnuke | 2025-04-03 | N/A |
PHP-Nuke 5.1 stores user and administrator passwords in a base-64 encoded cookie, which could allow remote attackers to gain privileges by stealing or sniffing the cookie and decoding it. | ||||
CVE-2001-1025 | 1 Francisco Burzi | 1 Php-nuke | 2025-04-03 | N/A |
PHP-Nuke 5.x allows remote attackers to perform arbitrary SQL operations by modifying the "prefix" variable when calling any scripts that do not already define the prefix variable (e.g., by including mainfile.php), such as article.php. |