Francisco Burzi Php-Nuke vulnerabilities

CVE-2004-1972 [HIGH] CVE-2004-1972: SQL injection vulnerability in modules.php in PHP-Nuke Video Gallery Module 0.1 Beta 5 allows remote SQL injection vulnerability in modules.php in PHP-Nuke Video Gallery Module 0.1 Beta 5 allows remote attackers to execute arbitrary SQL code via the (1) clipid or (2) catid parameters in a viewclip, viewcat, or voteclip action.

CVE-2004-1929 [HIGH] CVE-2004-1929: SQL injection vulnerability in the bblogin function in functions.php in PHP-Nuke 6.x through 7.2 all SQL injection vulnerability in the bblogin function in functions.php in PHP-Nuke 6.x through 7.2 allows remote attackers to bypass authentication and gain access by injecting base64-encoded SQL code into the user parameter.

CVE-2004-1932 [HIGH] CVE-2004-1932: SQL injection vulnerability in (1) auth.php and (2) admin.php in PHP-Nuke 6.x through 7.2 allows rem SQL injection vulnerability in (1) auth.php and (2) admin.php in PHP-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL code and create an administrator account via base64-encoded SQL in the admin parameter.

CVE-2004-1930 [MEDIUM] CVE-2004-1930: Cross-site scripting (XSS) vulnerability in the cookiedecode function in mainfile.php for PHP-Nuke 6 Cross-site scripting (XSS) vulnerability in the cookiedecode function in mainfile.php for PHP-Nuke 6.x through 7.2, when themes are used, allows remote attackers to inject arbitrary web script or HTML via a base64-encoded user parameter or cookie.

CVE-2004-1986 [MEDIUM] CVE-2004-1986: Directory traversal vulnerability in modules.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 al Directory traversal vulnerability in modules.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to read arbitrary files via a .. (dot dot) in the startdir parameter.

CVE-2004-1839 [MEDIUM] CVE-2004-1839: MS Analysis module 2.0 for PHP-Nuke allows remote attackers to obtain sensitive information via a di MS Analysis module 2.0 for PHP-Nuke allows remote attackers to obtain sensitive information via a direct request to (1) browsers.php, (2) mstrack.php, or (3) title.php, which reveal the full path in a PHP error message.

CVE-2004-1840 [MEDIUM] CVE-2004-1840: Multiple cross-site scripting (XSS) vulnerabilities in MS Analysis module 2.0 for PHP-Nuke allows re Multiple cross-site scripting (XSS) vulnerabilities in MS Analysis module 2.0 for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) screen parameter to modules.php, (2) module_name parameter to title.php, (3) sortby parameter to modules.php, or (4) overview parameter to modules.php.

CVE-2004-1830 [MEDIUM] CVE-2004-1830: error.php in Error Manager 2.1 for PHP-Nuke 6.0 allows remote attackers to obtain sensitive informat error.php in Error Manager 2.1 for PHP-Nuke 6.0 allows remote attackers to obtain sensitive information via an invalid (1) language, (2) newlang, or (3) lang parameter, which leaks the pathname in a PHP error message.

CVE-2004-1817 [MEDIUM] CVE-2004-1817: Cross-site scripting (XSS) vulnerability in modules.php in Php-Nuke 7.1.0 allows remote attackers to Cross-site scripting (XSS) vulnerability in modules.php in Php-Nuke 7.1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) Your Name field, (2) e-mail field, (3) nicname field, (4) fname parameter, (5) ratenum parameter, or (6) search field.

CVE-2003-1435 [HIGH] CWE-89 CVE-2003-1435: SQL injection vulnerability in PHP-Nuke 5.6 and 6.0 allows remote attackers to execute arbitrary SQL SQL injection vulnerability in PHP-Nuke 5.6 and 6.0 allows remote attackers to execute arbitrary SQL commands via the days parameter to the search module.

CVE-2003-1210 [HIGH] CVE-2003-1210: Multiple SQL injection vulnerabilities in the Downloads module for PHP-Nuke 5.x through 6.5 allow re Multiple SQL injection vulnerabilities in the Downloads module for PHP-Nuke 5.x through 6.5 allow remote attackers to execute arbitrary SQL commands via the (1) lid parameter to the getit function or the (2) min parameter to the search function.

CVE-2003-1400 [MEDIUM] CWE-79 CVE-2003-1400: Cross-site scripting (XSS) vulnerability in the Your_Account module for PHP-Nuke 5.0 through 6.0 all Cross-site scripting (XSS) vulnerability in the Your_Account module for PHP-Nuke 5.0 through 6.0 allows remote attackers to inject arbitrary web script or HTML via the user_avatar parameter.

CVE-2003-1468 [MEDIUM] CWE-200 CVE-2003-1468: The Web_Links module in PHP-Nuke 6.0 through 6.5 final allows remote attackers to obtain the full we The Web_Links module in PHP-Nuke 6.0 through 6.5 final allows remote attackers to obtain the full web server path via an invalid cid parameter that is non-numeric or null, which leaks the pathname in an error message.

CVE-2003-1526 [MEDIUM] CWE-200 CVE-2003-1526: PHP-Nuke 7.0 allows remote attackers to obtain the installation path via certain characters such as PHP-Nuke 7.0 allows remote attackers to obtain the installation path via certain characters such as (1) ", (2) ', or (3) > in the search field, which reveals the path in an error message.

CVE-2003-1547 [MEDIUM] CWE-79 CVE-2003-1547: Cross-site scripting (XSS) vulnerability in block-Forums.php in the Splatt Forum module for PHP-Nuke Cross-site scripting (XSS) vulnerability in block-Forums.php in the Splatt Forum module for PHP-Nuke 6.x allows remote attackers to inject arbitrary web script or HTML via the subject parameter.

CVE-2003-0279 [LOW] CVE-2003-0279: Multiple SQL injection vulnerabilities in the Web_Links module for PHP-Nuke 5.x through 6.5 allows r Multiple SQL injection vulnerabilities in the Web_Links module for PHP-Nuke 5.x through 6.5 allows remote attackers to steal sensitive information via numeric fields, as demonstrated using (1) the viewlink function and cid parameter, or (2) index.php.

CVE-2003-0318 [MEDIUM] CVE-2003-0318: Cross-site scripting (XSS) vulnerability in the Statistics module for PHP-Nuke 6.0 and earlier allow Cross-site scripting (XSS) vulnerability in the Statistics module for PHP-Nuke 6.0 and earlier allows remote attackers to insert arbitrary web script via the year parameter.

CVE-2002-2032 [MEDIUM] CVE-2002-2032: sql_layer.php in PHP-Nuke 5.4 and earlier does not restrict access to debugging features, which allo sql_layer.php in PHP-Nuke 5.4 and earlier does not restrict access to debugging features, which allows remote attackers to gain SQL query information by setting the sql_debug parameter to (1) index.php and (2) modules.php.

CVE-2002-1803 [MEDIUM] CVE-2002-1803: Cross-site scripting (XSS) vulnerability in PHP-Nuke 6.0 allows remote attackers to inject arbitrary Cross-site scripting (XSS) vulnerability in PHP-Nuke 6.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag.

CVE-2002-1242 [HIGH] CVE-2002-1242: SQL injection vulnerability in PHP-Nuke before 6.0 allows remote authenticated users to modify the d SQL injection vulnerability in PHP-Nuke before 6.0 allows remote authenticated users to modify the database and gain privileges via the "bio" argument to modules.php.