Vwar Virtual War vulnerabilities
22 known vulnerabilities affecting vwar/virtual_war.
Total CVEs
22
CISA KEV
0
Public exploits
8
Exploited in wild
0
Severity breakdown
HIGH10MEDIUM12
Vulnerabilities
Page 1 of 2
CVE-2010-5063P3HIGHCVSS 7.5PoCv1.6.12012-10-08
CVE-2010-5063 [HIGH] CWE-89 CVE-2010-5063: SQL injection vulnerability in article.php in Virtual War (aka VWar) 1.6.1 R2 allows remote attacker
SQL injection vulnerability in article.php in Virtual War (aka VWar) 1.6.1 R2 allows remote attackers to execute arbitrary SQL commands via the ratearticleselect parameter.
nvd
CVE-2007-4605P3HIGHCVSS 7.5PoC≤ 1.5.0_r152007-08-31
CVE-2007-4605 [HIGH] CVE-2007-4605: PHP remote file inclusion vulnerability in convert/mvcw.php in Virtual War (VWar) 1.5.0 R15 and earl
PHP remote file inclusion vulnerability in convert/mvcw.php in Virtual War (VWar) 1.5.0 R15 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter, a different vector than CVE-2006-1503, CVE-2006-1636, and CVE-2006-1747.
nvd
CVE-2006-4142P3HIGHCVSS 7.5PoCv1.5.0v1.5.0_r1+13 more2006-08-14
CVE-2006-4142 [HIGH] CVE-2006-4142: SQL injection vulnerability in extra/online.php in Virtual War (VWar) 1.5.0 R14 and earlier allows r
SQL injection vulnerability in extra/online.php in Virtual War (VWar) 1.5.0 R14 and earlier allows remote attackers to execute arbitrary SQL commands via the n parameter.
nvd
CVE-2008-0753P3HIGHCVSS 7.5PoCv1.52008-02-13
CVE-2008-0753 [HIGH] CWE-89 CVE-2008-0753: SQL injection vulnerability in calendar.php in Virtual War (VWar) 1.5 allows remote attackers to exe
SQL injection vulnerability in calendar.php in Virtual War (VWar) 1.5 allows remote attackers to execute arbitrary SQL commands via the month parameter.
nvd
CVE-2006-4010P3HIGHCVSS 7.5PoCv1.5.02006-08-07
CVE-2006-4010 [HIGH] CVE-2006-4010: SQL injection vulnerability in war.php in Virtual War (Vwar) 1.5.0 and earlier allows remote attacke
SQL injection vulnerability in war.php in Virtual War (Vwar) 1.5.0 and earlier allows remote attackers to execute arbitrary SQL commands via the page parameter. NOTE: other vectors are covered by CVE-2006-3139.
nvd
CVE-2007-2312P3HIGHCVSS 7.5PoCv1.5.0_r152007-04-26
CVE-2007-2312 [HIGH] CVE-2007-2312: Multiple SQL injection vulnerabilities in the Virtual War (VWar) 1.5.0 R15 module for PHP-Nuke allow
Multiple SQL injection vulnerabilities in the Virtual War (VWar) 1.5.0 R15 module for PHP-Nuke allow remote attackers to execute arbitrary SQL commands via the n parameter to extra/online.php and other unspecified scripts in extra/. NOTE: this might be same vulnerability as CVE-2006-4142; however, there is an intervening vendor fix announcement.
nvd
CVE-2006-1747P3HIGHCVSS 7.5PoCv1.5.02006-04-12
CVE-2006-1747 [HIGH] CVE-2006-1747: PHP remote file inclusion vulnerability in Virtual War (VWar) 1.5.0 allows remote attackers to execu
PHP remote file inclusion vulnerability in Virtual War (VWar) 1.5.0 allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter to (1) admin/admin.php, (2) war.php, (3) stats.php, (4) news.php, (5) joinus.php, (6) challenge.php, (7) calendar.php, (8) member.php, (9) popup.php, and other unspecified scripts in the admin folder. NOT
nvd
CVE-2006-3139P3HIGHCVSS 7.5≤ 1.5.0_r14v1.5.0_r1+12 more2006-06-22
CVE-2006-3139 [HIGH] CWE-89 CVE-2006-3139: Multiple SQL injection vulnerabilities in war.php in Virtual War (VWar) 1.5.0 R14 and earlier allow
Multiple SQL injection vulnerabilities in war.php in Virtual War (VWar) 1.5.0 R14 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) s, (2) showgame, (3) sortorder, and (4) sortby parameters.
nvd
CVE-2006-4141P3HIGHCVSS 7.5≤ 1.5.02006-08-14
CVE-2006-4141 [HIGH] CVE-2006-4141: SQL injection vulnerability in news.php in Virtual War (VWar) 1.5.0 and earlier allows remote attack
SQL injection vulnerability in news.php in Virtual War (VWar) 1.5.0 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) sortby and (2) sortorder parameters.
nvd
CVE-2006-4009P4MEDIUMCVSS 4.3PoCv1.5.02006-08-07
CVE-2006-4009 [MEDIUM] CVE-2006-4009: Cross-site scripting (XSS) vulnerability in war.php in Virtual War (Vwar) 1.5.0 and earlier allows r
Cross-site scripting (XSS) vulnerability in war.php in Virtual War (Vwar) 1.5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.
nvd
CVE-2010-5067P4MEDIUMCVSS 6.8v1.6.12012-10-08
CVE-2010-5067 [MEDIUM] CWE-255 CVE-2010-5067: Virtual War (aka VWar) 1.6.1 R2 uses static session cookies that depend only on a user's password, w
Virtual War (aka VWar) 1.6.1 R2 uses static session cookies that depend only on a user's password, which makes it easier for remote attackers to bypass timeout and logout actions, and retain access for a long period of time, by leveraging knowledge of a session cookie.
nvd
CVE-2006-1636P4HIGHCVSS 7.5v1.0.0v1.0.1+35 more2006-04-06
CVE-2006-1636 [HIGH] CVE-2006-1636: PHP remote file inclusion vulnerability in get_header.php in VWar 1.5.0 R12 and earlier allows remot
PHP remote file inclusion vulnerability in get_header.php in VWar 1.5.0 R12 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter. NOTE: this is a different vulnerability than CVE-2006-1503.
nvd
CVE-2010-5065P4MEDIUMCVSS 5.0v1.6.12012-10-08
CVE-2010-5065 [MEDIUM] CWE-264 CVE-2010-5065: popup.php in Virtual War (aka VWar) 1.6.1 R2 allows remote attackers to bypass intended member restr
popup.php in Virtual War (aka VWar) 1.6.1 R2 allows remote attackers to bypass intended member restrictions and read news posts via a modified newsid parameter in a printnews action.
nvd
CVE-2005-4748P4MEDIUMCVSS 6.8v1.3v1.4+1 more2005-12-31
CVE-2005-4748 [MEDIUM] CVE-2005-4748: PHP remote file include vulnerability in functions_admin.php in Virtual War (VWar) 1.5.0 R10 allows
PHP remote file include vulnerability in functions_admin.php in Virtual War (VWar) 1.5.0 R10 allows remote attackers to include and execute arbitrary PHP code via unspecified attack vectors. NOTE: this issue has been referred to as XSS, but it is clear from the vendor description that it is a file inclusion problem.
nvd
CVE-2006-1503P4MEDIUMCVSS 5.1v1.0.0v1.0.1+34 more2006-03-30
CVE-2006-1503 [MEDIUM] CWE-94 CVE-2006-1503: PHP remote file inclusion vulnerability in includes/functions_install.php in Virtual War (VWar) 1.5.
PHP remote file inclusion vulnerability in includes/functions_install.php in Virtual War (VWar) 1.5.0 R11 and earlier allows remote attackers to include and execute arbitrary PHP code via a URL in the vwar_root parameter. NOTE: this is a different vulnerability than CVE-2006-1636.
nvd
CVE-2010-5279P4MEDIUMCVSS 5.0v1.6.12012-10-08
CVE-2010-5279 [MEDIUM] CWE-189 CVE-2010-5279: article.php in Virtual War (aka VWar) 1.6.1 R2 allows remote attackers to cause a denial of service
article.php in Virtual War (aka VWar) 1.6.1 R2 allows remote attackers to cause a denial of service (memory consumption) via a large integer in the ratearticleselect parameter.
nvd
CVE-2010-5066P4MEDIUMCVSS 4.3v1.6.12012-10-08
CVE-2010-5066 [MEDIUM] CWE-310 CVE-2010-5066: The createRandomPassword function in includes/functions_common.php in Virtual War (aka VWar) 1.6.1 R
The createRandomPassword function in includes/functions_common.php in Virtual War (aka VWar) 1.6.1 R2 uses a small range of values to select the seed argument for the PHP mt_srand function, which makes it easier for remote attackers to determine randomly generated passwords via a brute-force attack.
nvd
CVE-2010-5064P4MEDIUMCVSS 4.3v1.6.12012-10-08
CVE-2010-5064 [MEDIUM] CWE-79 CVE-2010-5064: Multiple cross-site scripting (XSS) vulnerabilities in Virtual War (aka VWar) 1.6.1 R2 allow remote
Multiple cross-site scripting (XSS) vulnerabilities in Virtual War (aka VWar) 1.6.1 R2 allow remote attackers to inject arbitrary web script or HTML via (1) the Additional Information field to challenge.php, the (2) Additional Information or (3) Contact information field to joinus.php, (4) the War Report field to admin/admin.php in a finishwar action, o
nvd
CVE-2007-2306P4MEDIUMCVSS 4.3≤ 1.5.0_r152007-04-26
CVE-2007-2306 [MEDIUM] CVE-2007-2306: Multiple cross-site scripting (XSS) vulnerabilities in the Virtual War (VWar) 1.5.0 R15 and earlier
Multiple cross-site scripting (XSS) vulnerabilities in the Virtual War (VWar) 1.5.0 R15 and earlier module for PHP-Nuke, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) memberlist parameter to extra/login.php and the (2) title parameter to extra/today.php.
nvd
CVE-2006-4224P4MEDIUMCVSS 4.3≤ 1.5.0v1.0.0+23 more2006-08-18
CVE-2006-4224 [MEDIUM] CVE-2006-4224: Cross-site scripting (XSS) vulnerability in calendar.php in Virtual War (VWar) 1.5.0 and earlier all
Cross-site scripting (XSS) vulnerability in calendar.php in Virtual War (VWar) 1.5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the year parameter. NOTE: The page parameter vector is covered by CVE-2006-4009.
nvd
1 / 2Next →