Download
| Alert*
CVE-2007-2249
include/controlcenter/users.php in Phorum before 5.1.22 allows remote authenticated moderators to gain privileges via a modified (1) user_ids POST parameter or (2) userdata array. CVE-2007-2338 Cross-site request forgery (CSRF) vulnerability in include/admin/banlist.php in Phorum before 5.1.22 allows remote attackers to perform unauthorized banlist deletions as an administrator via the delete parameter. CVE-2007-2339 Multiple SQL injection vulnerabilities in Phorum before 5.1.22 allow remote attackers to execute arbitrary SQL commands via (1) a modified recipients parameter name in (a) pm.php; (2) the curr parameter to the (b) badwords (aka censorlist) or (c) banlist module in admin.php; or (3) the "Edit groups ... CVE-2007-2250 admin.php in Phorum before 5.1.22 allows remote attackers to obtain the full path via the module[] parameter. CVE-2011-3381 Cross-site request forgery (CSRF) vulnerability in Phorum before 5.2.16 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. CVE-2011-3392 Cross-site scripting (XSS) vulnerability in control.php in the controlcenter in Phorum before 5.2.17 allows remote attackers to inject arbitrary web script or HTML via the real_name parameter. CVE-2011-3382 Cross-site scripting (XSS) vulnerability in Phorum before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2008-1486 SQL injection vulnerability in Phorum before 5.2.6, when mysql_use_ft is disabled, allows remote attackers to execute arbitrary SQL commands via the non-fulltext search. CVE-2009-0488 Cross-site scripting (XSS) vulnerability in Phorum before 5.2.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2010-1629 Cross-site scripting (XSS) vulnerability in Phorum before 5.2.15 allows remote attackers to inject arbitrary web script or HTML via an invalid email address. |