Blog Project: >> Blog >> 1.2 Security Vulnerabilities
m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly. Although PHP issued warnings and the upload function returned `false`, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
CVSS Score
8.5
EPSS Score
0.036
Published
2022-02-08
SQL Injection exists in tianchoy/blog through 2017-09-12 via the id parameter to view.php.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-09-12
upload.php in tianchoy/blog through 2017-09-12 allows unrestricted file upload and PHP code execution by using the image/jpeg, image/pjpeg, image/png, or image/gif content type for a .php file.
CVSS Score
9.8
EPSS Score
0.01
Published
2017-09-12