Php Exploits
1,332 exploits tracked across all sources.
Apache HTTP Server < 2.4.38 - Use After Free
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
by cfreal
CVSS 7.8
Thinkst Canarytokens <4e89ee0 - Info Disclosure
Thinkst Canarytokens through commit hash 4e89ee0 (2019-03-01) relies on limited variation in size, metadata, and timestamp, which makes it easier for attackers to estimate whether a Word document contains a token.
by Benjamin Zink Loft_ Gionathan Reale
CVSS 7.5
Moodle 3.x - RCE
An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.
by Darryn Ten
CVSS 8.8
GD Graphics Library <2.2.5 - Buffer Overflow
gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data.
by cfreal
CVSS 8.8
Globee Woocommerce < 1.1.2 - Improper Input Validation
The GloBee plugin before 1.1.2 for WooCommerce mishandles IPN messages.
by GeekHack
CVSS 7.5
PrestaShop <1.6.1.23, <1.7.4.4 - Path Traversal
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory.
by Fariskhi Vidyan
CVSS 7.5
Prestashop < 1.6.1.23 - Unrestricted File Upload
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.
by Fariskhi Vidyan
CVSS 9.8
PHP 5.2.3 imap (Debian Based) - 'imap_open' disable_functions Bypass
by Anton Lopanitsyn
ZyXEL VMG3312-B10B < 1.00(AAPP.7) - Credential Disclosure
by numan türle
Academic Timetable Final Build 7.0 - Information Disclosure
by Ihsan Sencan
Hazzardweb Easylogin Pro < 1.3.0 - Insecure Deserialization
An issue was discovered in EasyLogin Pro through 1.3.0. Encryptor.php contains an unserialize call that can be exploited for remote code execution in the decrypt function, if the attacker knows the key.
by mr_me
CVSS 8.1
Harmis Ek Rishta <2.10 - SQL Injection
router.php in the Harmis Ek rishta (aka ek-rishta) 2.10 component for Joomla! allows SQL Injection via the PATH_INFO to a home/requested_user/Sent%20interest/ URI.
by Guilherme Assmann
CVSS 8.8
Jlike - Information Disclosure
Information Leakage exists in the jLike 1.0 component for Joomla! via a task=getUserByCommentId request.
by Ihsan Sencan
CVSS 7.5
phpFreeChat <1.7 - DoS
phpFreeChat 1.7 and earlier allows remote attackers to cause a denial of service by sending a large number of connect commands.
by A. Pakbaz
CVSS 7.5
PHP <5.6.32, 7.x <7.0.25, 7.1.x <7.1.11 - Info Disclosure
In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.
by Wei Lei and Liu Yang
CVSS 7.5
Brother Devices - Auth Bypass
On certain Brother devices, authorization is mishandled by including a valid AuthCookie cookie in the HTTP response to a failed login attempt. Affected models are: MFC-J6973CDW MFC-J4420DW MFC-8710DW MFC-J4620DW MFC-L8850CDW MFC-J3720 MFC-J6520DW MFC-L2740DW MFC-J5910DW MFC-J6920DW MFC-L2700DW MFC-9130CW MFC-9330CDW MFC-9340CDW MFC-J5620DW MFC-J6720DW MFC-L8600CDW MFC-L9550CDW MFC-L2720DW DCP-L2540DW DCP-L2520DW HL-3140CW HL-3170CDW HL-3180CDW HL-L8350CDW HL-L2380DW ADS-2500W ADS-1000W ADS-1500W.
by Patryk Bogdan
CVSS 9.8
Moodle < 2.7.19 - SQL Injection
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
by Marko Belzetski
CVSS 9.8
Drupal 7.x Module Services - Remote Code Execution
by Charles Fol
Wordpress < 4.7 - Information Disclosure
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
by Dctor
CVSS 5.3
By Source