Vulnerabilities > Phpkit
|2019-05-24||CVE-2016-10758|| Unrestricted Upload of File with Dangerous Type vulnerability in PHPkit 1.6.6 |
PHPKIT 1.6.6 allows arbitrary File Upload, as demonstrated by a .php file to pkinc/admin/mediaarchive.php and pkinc/func/default.php via the image_name parameter.
| 6.5 |
|2015-01-15||CVE-2015-1052|| Cross-site Scripting vulnerability in PHPkit 1.6.6 |
Cross-site scripting (XSS) vulnerability in the poll archive in PHPKIT 1.6.6 (Build 160014) allows remote attackers to inject arbitrary web script or HTML via the result parameter to upload_files/pk/include.php.
| 4.3 |
|2009-09-09||CVE-2008-7193|| Cross-Site Request Forgery (CSRF) vulnerability in PHPkit 1.6.4Pl1 |
PHPKIT 1.6.4 PL1 includes the session ID in the URL, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks by reading the PHPKITSID parameter from the HTTP Referer and using it in a request to (1) modify the user profile via upload_files/include.php or (2) create a new administrator via upload_files/pk/include.php.
| 6.8 |
|2007-11-27||CVE-2007-6134|| SQL Injection vulnerability in PHPkit 1.6.4Pl1 |
SQL injection vulnerability in pkinc/public/article.php in PHPKIT 1.6.4pl1 allows remote attackers to execute arbitrary SQL commands via the contentid parameter in an article action to include.php, a different vector than CVE-2006-1773.
| 7.5 |
|2007-03-06||CVE-2006-7115|| SQL-Injection vulnerability in PHPkit 1.6.1 |
SQL injection vulnerability in PHPKit 1.6.1 RC2 allows remote attackers to inject arbitrary SQL commands via the catid parameter to include.php when the path parameter is set to faq/faq.php, and other unspecified vectors involving guestbook/print.php.
| 7.5 |
|2007-01-11||CVE-2007-0179|| SQL Injection vulnerability in PHPkit 1.6.1 |
SQL injection vulnerability in comment.php in PHPKIT 1.6.1 R2 allows remote attackers to execute arbitrary SQL commands via the subid parameter.
| 7.5 |
|2006-04-13||CVE-2006-1773|| SQL Injection vulnerability in PHPKIT Include.PHP |
SQL injection vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier allows remote attackers to execute arbitrary SQL commands via the contentid parameter, possibly involving content/news.php.
| 6.4 |
|2006-03-30||CVE-2006-1507|| Cross-Site Scripting vulnerability in PHPkit 1.6.03 |
Cross-site scripting (XSS) vulnerability in PHPKIT 1.6.03 allows remote attackers to inject arbitrary web script or HTML via the error parameter to include.php, possibly due to a problem in login/login.php.
| 6.8 |
|2006-02-19||CVE-2006-0786|| Remote Security vulnerability in PHPKIT |
Incomplete blacklist vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier, with allow_url_fopen enabled, allows remote attackers to conduct PHP remote file include attacks via a path parameter that specifies a (1) UNC share or (2) ftps URL, which bypasses the check for "http://", "ftp://", and "https://" URLs.
| 5.1 |
|2006-02-19||CVE-2006-0785|| File-Upload vulnerability in PHPKIT |
Absolute path traversal vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier allows remote attackers to include and execute arbitrary local files via a direct request with a path parameter with a null character and beginning with (1) '/' (slash) for an absolute pathname or (2) a drive letter (such as "C:"), which bypasses checks for ".." sequences and trailing ".php" extensions.
| 6.4 |