Vulnerabilities > Phpnuke > PHP Nuke
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2008-11-12 | CVE-2008-5039 | Cross-Site Scripting vulnerability in PHP-Nuke League Module 2.4 Cross-site scripting (XSS) vulnerability in the League module for PHP-Nuke, possibly 2.4, allows remote attackers to inject arbitrary web script or HTML via the tid parameter in a team action to modules.php. | 4.3 |
| 2008-10-31 | CVE-2008-4804 | SQL Injection vulnerability in Nukedgallery Gallery SQL injection vulnerability in the Gallery module 1.3 for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the aid parameter in a showalbum action to index.php. | 7.5 |
| 2008-10-28 | CVE-2008-4767 | Improper Input Validation vulnerability in PHP-Nuke Downloadsplus Module Unrestricted file upload vulnerability in the DownloadsPlus module in PHP-Nuke allows remote attackers to execute arbitrary code by uploading a file with (1) .htm, (2) .html, or (3) .txt extensions, then accessing it via a direct request to the file. | 9.0 |
| 2008-04-30 | CVE-2008-2020 | Use of Insufficiently Random Values vulnerability in multiple products The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux 2.3, (5) e107 0.7.11, (6) WebZE 0.5.9, (7) Open Media Collectors Database (aka OpenDb) 1.5.0b4, and (8) Labgab 1.1 uses a code_bg.jpg background image and the PHP ImageString function in a way that produces an insufficient number of different images, which allows remote attackers to pass the CAPTCHA test via an automated attack using a table of all possible image checksums and their corresponding digit strings. network low complexity my123tkshop phpmybittorrent webze e107 labgab phpnuke torrentflux-project opendb CWE-330 | 7.5 |
| 2008-03-12 | CVE-2008-1314 | SQL Injection vulnerability in Johannes Hass Gaestebuch Module 2.2 SQL injection vulnerability in the Johannes Hass gaestebuch 2.2 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id parameter in an edit action to modules.php. | 7.5 |
| 2008-03-12 | CVE-2008-1308 | SQL Injection vulnerability in Sudirman Angriawan Nukec30 3.0 SQL injection vulnerability in the Sudirman Angriawan NukeC30 3.0 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id_catg parameter in a ViewCatg action to modules.php. | 7.5 |
| 2007-08-08 | CVE-2007-4212 | Cross-Site Scripting vulnerability in PHP-Nuke Search Module Multiple cross-site scripting (XSS) vulnerabilities in the Search Module in PHP-Nuke allow remote attackers to inject arbitrary web script or HTML via a trailing "<" instead of a ">" in (1) the onerror attribute of an IMG element, (2) the onload attribute of an IFRAME element, or (3) redirect users to other sites via the META tag. network phpnuke | 4.3 |
| 2007-03-14 | CVE-2007-1450 | SQL-Injection vulnerability in Php-Nuke SQL injection vulnerability in mainfile.php in PHP-Nuke 8.0 and earlier allows remote attackers to execute arbitrary SQL commands in the Top or News module via the lang parameter. | 7.5 |
| 2007-03-14 | CVE-2007-1449 | Local File Include and SQL Injection vulnerability in PHP-Nuke Lang Parameter Directory traversal vulnerability in mainfile.php in PHP-Nuke 8.0 and earlier allows remote attackers to read arbitrary files via a .. network phpnuke | 4.3 |
| 2006-10-26 | CVE-2006-5525 | SQL Injection vulnerability in PHP-Nuke Encyclopedia Module Incomplete blacklist vulnerability in mainfile.php in PHP-Nuke 7.9 and earlier allows remote attackers to conduct SQL injection attacks via (1) "/**/UNION " or (2) " UNION/**/" sequences, which are not rejected by the protection mechanism, as demonstrated by a SQL injection via the eid parameter in a search action in the Encyclopedia module in modules.php. | 5.1 |