Multiple SQL injection vulnerabilities in Phorum before 5.1.22 allow remote attackers to execute arbitrary SQL commands via (1) a modified recipients parameter name in (a) pm.php; (2) the curr parameter to the (b) badwords (aka censorlist) or (c) banlist module in admin.php; or (3) the "Edit groups / Add group" field in the (d) groups module in admin.php.
CVSS Score
7.5
EPSS Score
0.028
Published
2007-04-27
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Phorum before 5.1.22 allow remote attackers to inject arbitrary web script or HTML via the (1) group_id parameter in the groups module or (2) the smiley_id parameter in the smileys modsettings module.
CVSS Score
4.3
EPSS Score
0.071
Published
2007-04-25
include/controlcenter/users.php in Phorum before 5.1.22 allows remote authenticated moderators to gain privileges via a modified (1) user_ids POST parameter or (2) userdata array.
CVSS Score
6.5
EPSS Score
0.159
Published
2007-04-25
admin.php in Phorum before 5.1.22 allows remote attackers to obtain the full path via the module[] parameter.
CVSS Score
5.0
EPSS Score
0.132
Published
2007-04-25
Page 2