Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
php php vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2023-5340
The Five Star Restaurant Menu and Food Ordering WordPress plugin prior to 2.4.11 unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog.
Fivestarplugins Five Star Restaurant Menu
9.8
CVSSv3
CVE-2023-47130
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been dev...
Yiiframework Yii
9.8
CVSSv3
CVE-2023-45878
GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the pa...
Gibbonedu Gibbon
9.8
CVSSv3
CVE-2023-47129
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not jus...
Statamic Statamic
1 Github repository
9.8
CVSSv3
CVE-2023-47253
Qualitor up to and including 8.20 allows remote malicious users to execute arbitrary code via PHP code in the html/ad/adpesquisasql/request/processVariavel.php gridValoresPopHidden parameter.
Qualitor Qalitor
9.8
CVSSv3
CVE-2017-20187
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Magnesium-PHP up to 0.3.0. It has been classified as problematic. Affected is the function formatEmailString of the file src/Magnesium/Message/Base.php. The manipulation of the argument email/name leads to injection. Up...
Floriangaerber Magnesium-php
9.8
CVSSv3
CVE-2023-4591
A local file inclusion vulnerability has been found in WPN-XM Serverstack affecting version 0.8.6, which would allow an unauthenticated user to perform a local file inclusion (LFI) via the /tools/webinterface/index.php?page parameter by sending a GET request. This vulnerability c...
Wpn-xm Wpn-xm 0.8.6
9.8
CVSSv3
CVE-2023-46817
An issue exists in phpFox prior to 4.8.14. The url request parameter passed to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated malicious users to inject arbitrary PH...
Phpfox Phpfox
9.8
CVSSv3
CVE-2023-42802
GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system librar...
Glpi-project Glpi
1 Github repository
9.8
CVSSv3
CVE-2023-1719
Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote malicious users to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP cod...
Bitrix24 Bitrix24 22.0.300
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
cross-site request forgery
CVE-2024-34351
CVE-2024-1076
CVE-2024-25522
CVE-2024-34547
CVE-2024-4644
unauthorized
remote
CVE-2024-4671
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
NEXT »