Vulnerabilities > Phpkit > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-05-24 | CVE-2016-10758 | Unrestricted Upload of File with Dangerous Type vulnerability in PHPkit 1.6.6 PHPKIT 1.6.6 allows arbitrary File Upload, as demonstrated by a .php file to pkinc/admin/mediaarchive.php and pkinc/func/default.php via the image_name parameter. | 6.5 |
| 2015-01-15 | CVE-2015-1052 | Cross-site Scripting vulnerability in PHPkit 1.6.6 Cross-site scripting (XSS) vulnerability in the poll archive in PHPKIT 1.6.6 (Build 160014) allows remote attackers to inject arbitrary web script or HTML via the result parameter to upload_files/pk/include.php. | 4.3 |
| 2009-09-09 | CVE-2008-7193 | Cross-Site Request Forgery (CSRF) vulnerability in PHPkit 1.6.4Pl1 PHPKIT 1.6.4 PL1 includes the session ID in the URL, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks by reading the PHPKITSID parameter from the HTTP Referer and using it in a request to (1) modify the user profile via upload_files/include.php or (2) create a new administrator via upload_files/pk/include.php. | 6.8 |
| 2006-04-13 | CVE-2006-1773 | SQL Injection vulnerability in PHPKIT Include.PHP SQL injection vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier allows remote attackers to execute arbitrary SQL commands via the contentid parameter, possibly involving content/news.php. | 6.4 |
| 2006-03-30 | CVE-2006-1507 | Cross-Site Scripting vulnerability in PHPkit 1.6.03 Cross-site scripting (XSS) vulnerability in PHPKIT 1.6.03 allows remote attackers to inject arbitrary web script or HTML via the error parameter to include.php, possibly due to a problem in login/login.php. network phpkit | 6.8 |
| 2006-02-19 | CVE-2006-0786 | Remote Security vulnerability in PHPKIT Incomplete blacklist vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier, with allow_url_fopen enabled, allows remote attackers to conduct PHP remote file include attacks via a path parameter that specifies a (1) UNC share or (2) ftps URL, which bypasses the check for "http://", "ftp://", and "https://" URLs. | 5.1 |
| 2006-02-19 | CVE-2006-0785 | File-Upload vulnerability in PHPKIT Absolute path traversal vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier allows remote attackers to include and execute arbitrary local files via a direct request with a path parameter with a null character and beginning with (1) '/' (slash) for an absolute pathname or (2) a drive letter (such as "C:"), which bypasses checks for ".." sequences and trailing ".php" extensions. | 6.4 |
| 2005-12-20 | CVE-2005-4424 | Input Validation vulnerability in PHPkit 1.6.02/1.6.03/1.6.1 Directory traversal vulnerability in PHPKIT 1.6.1 R2 and earlier might allow remote authenticated users to execute arbitrary PHP code via a .. | 6.5 |
| 2005-11-16 | CVE-2005-3554 | Code Injection vulnerability in PHPkit 1.6.02/1.6.03/1.6.1 Multiple eval injection vulnerabilities in the help function in PHPKIT 1.6.1 R2 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary code on the server via unknown attack vectors involving uninitialized variables. | 5.1 |
| 2005-11-16 | CVE-2005-3552 | Cross-Site Scripting vulnerability in PHPkit Multiple cross-site scripting (XSS) vulnerabilities in PHPKIT 1.6.1 R2 and earlier allow remote attackers to inject arbitrary web script or HTML via multiple vectors in (1) login/profile.php, (2) login/userinfo.php, (3) admin/admin.php, (4) imcenter.php, and the (5) referer statistics, the (6) HTML title element and (7) logo alt attributes in forum postings, and the (8) Homepage field in the Guestbook. | 4.3 |