Francisco Burzi Php-Nuke vulnerabilities
94 known vulnerabilities affecting francisco_burzi/php-nuke.
Total CVEs
94
CISA KEV
0
Public exploits
48
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH36MEDIUM54LOW1
Vulnerabilities
Page 2 of 5
CVE-2002-1242P3HIGHCVSS 7.5PoCv5.62002-11-12
CVE-2002-1242 [HIGH] CVE-2002-1242: SQL injection vulnerability in PHP-Nuke before 6.0 allows remote authenticated users to modify the d
SQL injection vulnerability in PHP-Nuke before 6.0 allows remote authenticated users to modify the database and gain privileges via the "bio" argument to modules.php.
nvd
CVE-2003-1435P3HIGHCVSS 7.5PoCv5.6v6.02003-12-31
CVE-2003-1435 [HIGH] CWE-89 CVE-2003-1435: SQL injection vulnerability in PHP-Nuke 5.6 and 6.0 allows remote attackers to execute arbitrary SQL
SQL injection vulnerability in PHP-Nuke 5.6 and 6.0 allows remote attackers to execute arbitrary SQL commands via the days parameter to the search module.
nvd
CVE-2008-0461P3MEDIUMCVSS 6.8PoC≤ 8.0_final2008-01-25
CVE-2008-0461 [MEDIUM] CWE-89 CVE-2008-0461: SQL injection vulnerability in index.php in the Search module in PHP-Nuke 8.0 FINAL and earlier, whe
SQL injection vulnerability in index.php in the Search module in PHP-Nuke 8.0 FINAL and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the sid parameter in a comments action to modules.php. NOTE: some of these details are obtained from third party information.
nvd
CVE-2004-1932P4HIGHCVSS 7.5PoCv6.0v6.5+12 more2004-04-12
CVE-2004-1932 [HIGH] CVE-2004-1932: SQL injection vulnerability in (1) auth.php and (2) admin.php in PHP-Nuke 6.x through 7.2 allows rem
SQL injection vulnerability in (1) auth.php and (2) admin.php in PHP-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL code and create an administrator account via base64-encoded SQL in the admin parameter.
nvd
CVE-2004-1986P4MEDIUMCVSS 5.0PoCv6.9v7.0+3 more2004-04-04
CVE-2004-1986 [MEDIUM] CVE-2004-1986: Directory traversal vulnerability in modules.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 al
Directory traversal vulnerability in modules.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to read arbitrary files via a .. (dot dot) in the startdir parameter.
nvd
CVE-2001-0383P4MEDIUMCVSS 5.0PoC≤ 4.42001-06-18
CVE-2001-0383 [MEDIUM] CVE-2001-0383: banners.php in PHP-Nuke 4.4 and earlier allows remote attackers to modify banner ad URLs by directly
banners.php in PHP-Nuke 4.4 and earlier allows remote attackers to modify banner ad URLs by directly calling the Change operation, which does not require authentication.
nvd
CVE-2002-2032P4MEDIUMCVSS 5.0PoCv1.0v2.5+12 more2002-12-31
CVE-2002-2032 [MEDIUM] CVE-2002-2032: sql_layer.php in PHP-Nuke 5.4 and earlier does not restrict access to debugging features, which allo
sql_layer.php in PHP-Nuke 5.4 and earlier does not restrict access to debugging features, which allows remote attackers to gain SQL query information by setting the sql_debug parameter to (1) index.php and (2) modules.php.
nvd
CVE-2004-0265P4MEDIUMCVSS 6.8PoCv6.0v6.5+11 more2004-11-23
CVE-2004-0265 [MEDIUM] CVE-2004-0265: Cross-site scripting (XSS) vulnerability in modules.php for Php-Nuke 6.x-7.1.0 allows remote attacke
Cross-site scripting (XSS) vulnerability in modules.php for Php-Nuke 6.x-7.1.0 allows remote attackers to execute arbitrary script as other users via URL-encoded (1) title or (2) fname parameters in the News or Reviews modules.
nvd
CVE-2004-0266P4MEDIUMCVSS 5.0PoCv6.0v6.5+11 more2004-11-23
CVE-2004-0266 [MEDIUM] CVE-2004-0266: SQL injection vulnerability in the "public message" capability (public_message) for Php-Nuke 6.x to
SQL injection vulnerability in the "public message" capability (public_message) for Php-Nuke 6.x to 7.1.0 allows remote attackers to obtain the administrator password via the c_mid parameter.
nvd
CVE-2002-0483P4MEDIUMCVSS 5.0PoCv5.0v5.0.1+5 more2002-08-12
CVE-2002-0483 [MEDIUM] CVE-2002-0483: index.php for PHP-Nuke 5.4 and earlier allows remote attackers to determine the physical pathname of
index.php for PHP-Nuke 5.4 and earlier allows remote attackers to determine the physical pathname of the web server when the file parameter is set to index.php, which triggers an error message that leaks the pathname.
nvd
CVE-2004-1987P3HIGHCVSS 7.5v6.9v7.0+3 more2004-04-30
CVE-2004-1987 [HIGH] CVE-2004-1987: picmgmtbatch.inc.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with a
picmgmtbatch.inc.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to execute arbitrary commands via shell metacharacters in the (1) $CONFIG['impath'] or (2) $CONFIG['jpeg_qual'] parameters.
nvd
CVE-2004-2297P4MEDIUMCVSS 5.0PoCv6.0v6.5+13 more2004-12-31
CVE-2004-2297 [MEDIUM] CVE-2004-2297: The Reviews module in PHP-Nuke 6.0 to 7.3 allows remote attackers to cause a denial of service (CPU
The Reviews module in PHP-Nuke 6.0 to 7.3 allows remote attackers to cause a denial of service (CPU and memory consumption) via a large, out-of-range score parameter.
nvd
CVE-2005-4260P4MEDIUMCVSS 4.3PoCv7.0v7.1+6 more2005-12-15
CVE-2005-4260 [MEDIUM] CVE-2005-4260: Interpretation conflict in includes/mainfile.php in PHP-Nuke 7.9 and later allows remote attackers t
Interpretation conflict in includes/mainfile.php in PHP-Nuke 7.9 and later allows remote attackers to perform cross-site scripting (XSS) attacks by replacing the ">" in the tag with a "<", which bypasses the regular expressions that sanitize the data, but is automatically corrected by many web browsers. NOTE: it could be argued that this vulnerability is due
nvd
CVE-2004-1985P4MEDIUMCVSS 4.3PoCv6.9v7.0+3 more2004-04-30
CVE-2004-1985 [MEDIUM] CVE-2004-1985: Cross-site scripting (XSS) vulnerability in menu.inc.php in Coppermine Photo Gallery 1.2.2b allows r
Cross-site scripting (XSS) vulnerability in menu.inc.php in Coppermine Photo Gallery 1.2.2b allows remote attackers to inject arbitrary HTML or web script via the CPG_URL parameter.
nvd
CVE-2004-2293P4MEDIUMCVSS 4.3PoCv6.0v6.5+13 more2004-12-31
CVE-2004-2293 [MEDIUM] CVE-2004-2293: Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.0 to 7.3 allow remote attackers to
Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.0 to 7.3 allow remote attackers to inject arbitrary web script or HTML via the (1) eid parameter or (2) query parameter to the Encyclopedia module, (3) preview_review function in the Reviews module as demonstrated by the url, cover, rlanguage, and hits parameters, or (4) savecomment function in
nvd
CVE-2006-0676P4MEDIUMCVSS 4.3PoCv6.0v6.5+16 more2006-02-13
CVE-2006-0676 [MEDIUM] CVE-2006-0676: Cross-site scripting (XSS) vulnerability in header.php in PHP-Nuke 6.0 to 7.8 allows remote attacker
Cross-site scripting (XSS) vulnerability in header.php in PHP-Nuke 6.0 to 7.8 allows remote attackers to inject arbitrary web script or HTML via the pagetitle parameter.
nvd
CVE-2005-1023P4MEDIUMCVSS 4.3PoCv6.0v6.5+16 more2005-05-02
CVE-2005-1023 [MEDIUM] CVE-2005-1023: Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.x to 7.6 allow remote attackers to
Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.x to 7.6 allow remote attackers to inject arbitrary web script or HTML via the (1) min parameter to the Search module, (2) the categories parameter to the FAQ module, or (3) the ltr parameter to the Encyclopedia module. NOTE: the bid parameter issue in banners.php is already an item in CVE-2005
nvd
CVE-2005-4715P3HIGHCVSS 7.5v7.82005-12-31
CVE-2005-4715 [HIGH] CVE-2005-4715: Multiple SQL injection vulnerabilities in modules.php in PHP-Nuke 7.8, when magic_quotes_gpc is disa
Multiple SQL injection vulnerabilities in modules.php in PHP-Nuke 7.8, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) sid, and (3) pid parameters in a POST request, which bypasses security checks that are performed for GET requests.
nvd
CVE-2006-6200P3HIGHCVSS 7.5v7.0v7.0_final+10 more2006-12-01
CVE-2006-6200 [HIGH] CVE-2006-6200: Multiple SQL injection vulnerabilities in the (1) rate_article and (2) rate_complete functions in mo
Multiple SQL injection vulnerabilities in the (1) rate_article and (2) rate_complete functions in modules/News/index.php in the News module in Francisco Burzi PHP-Nuke 7.9 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the sid parameter.
nvd
CVE-2006-6234P3HIGHCVSS 7.5v6.02006-12-02
CVE-2006-6234 [HIGH] CVE-2006-6234: Multiple SQL injection vulnerabilities in the Content module in PHP-Nuke 6.0, and possibly other ver
Multiple SQL injection vulnerabilities in the Content module in PHP-Nuke 6.0, and possibly other versions, allow remote attackers to execute arbitrary SQL commands via (1) the cid parameter in a list_pages_categories action or (2) the pid parameter in a showpage action.
nvd