Vulnerabilities > Phorum > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2007-04-27 | CVE-2007-2339 | SQL-Injection vulnerability in Phorum Multiple SQL injection vulnerabilities in Phorum before 5.1.22 allow remote attackers to execute arbitrary SQL commands via (1) a modified recipients parameter name in (a) pm.php; (2) the curr parameter to the (b) badwords (aka censorlist) or (c) banlist module in admin.php; or (3) the "Edit groups / Add group" field in the (d) groups module in admin.php. | 7.5 |
| 2007-04-27 | CVE-2007-2338 | Input Validation vulnerability in Phorum Cross-site request forgery (CSRF) vulnerability in include/admin/banlist.php in Phorum before 5.1.22 allows remote attackers to perform unauthorized banlist deletions as an administrator via the delete parameter. | 7.5 |
| 2004-12-31 | CVE-2004-2243 | Remote Security vulnerability in Phorum 4.3.7 Phorum allows remote attackers to hijack sessions of other users by stealing and replaying the session hash in the phorum_uriauth parameter, as demonstrated using profile.php. | 7.5 |
| 2004-12-31 | CVE-2004-2240 | Cross-Site Scripting and SQL Injection vulnerability in Phorum 5.0.11 Multiple SQL injection vulnerabilities in Phorum 5.0.11 and earlier allow remote attackers to modify SQL statements via (1) the query string in read.php or (2) unknown vectors in file.php. | 7.5 |
| 2004-12-31 | CVE-2004-2110 | SQL-Injection vulnerability in Phorum SQL injection vulnerability in register.php in Phorum before 3.4.6 allows remote attackers to execute arbitrary SQL commands via the hide_email parameter. | 7.5 |
| 2004-04-19 | CVE-2004-1938 | SQL Injection vulnerability in Phorum Phorum_URIAuth SQL injection vulnerability in userlogin.php in Phorum 3.4.7 allows remote attackers to execute arbitrary SQL commands via doubly hex-encoded characters such as "%2527", which is translated to "'", as demonstrated using the phorum_uriauth parameter to list.php. | 7.5 |
| 2004-01-20 | CVE-2004-0035 | SQL Injection vulnerability in Phorum Registration Script hide_email SQL injection vulnerability in register.php for Phorum 3.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the hide_email parameter. | 7.5 |
| 2003-12-31 | CVE-2003-1466 | Unspecified vulnerability in Phorum 3.4/3.4.1/3.4.2 Unspecified vulnerability in Phorum 3.4 through 3.4.2 allows remote attackers to use Phorum as a connection proxy to other sites via (1) register.php or (2) login.php. | 7.5 |
| 2002-08-12 | CVE-2002-0764 | Remote Command Execution vulnerability in Phorum 3.3.2A Phorum 3.3.2a allows remote attackers to execute arbitrary commands via an HTTP request to (1) plugin.php, (2) admin.php, or (3) del.php that modifies the PHORUM[settings_dir] variable to point to a directory that contains a PHP file with the commands. | 7.5 |
| 2000-12-31 | CVE-2000-1233 | Unspecified vulnerability in Phorum 3.0.7 SQL injection vulnerability in read.php3 and other scripts in Phorum 3.0.7 allows remote attackers to execute arbitrary SQL queries via the sSQL parameter. | 7.5 |