Youphptube: >> Youphptube >> 4.0.2 Security Vulnerabilities
YouPHPTube <= 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they access the signup page.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-01-13
YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. Attackers can exploit the path traversal flaw in locale/function.php to include and view PHP files outside the intended directory by using directory traversal sequences.
CVSS Score
5.5
EPSS Score
0.002
Published
2026-01-13
AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the searchPhrase parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator.
CVSS Score
6.1
EPSS Score
0.004
Published
2021-11-01
AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the u parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator.
CVSS Score
6.1
EPSS Score
0.004
Published
2021-11-01
AVideo/YouPHPTube 10.0 and prior is affected by Insecure file write. An administrator privileged user is able to write files on filesystem using flag and code variables in file save.php.
CVSS Score
7.2
EPSS Score
0.012
Published
2021-11-01
AVideo/YouPHPTube 10.0 and prior is affected by multiple reflected Cross Script Scripting vulnerabilities via the videoName parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator.
CVSS Score
6.1
EPSS Score
0.004
Published
2021-11-01
AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior is affected by a SQL Injection SQL injection in the catName parameter which allows a remote unauthenticated attacker to retrieve databases information such as application passwords hashes.
CVSS Score
7.5
EPSS Score
0.008
Published
2021-11-01
An issue was discovered in YouPHPTube through 7.7. User input passed through the live_stream_code POST parameter to /plugin/LiveChat/getChat.json.php is not properly sanitized (in getFromChat in plugin/LiveChat/Objects/LiveChatObj.php) before being used to construct a SQL query. This can be exploited by malicious users to, e.g., read sensitive data from the database through in-band SQL Injection attacks. Successful exploitation of this vulnerability requires the Live Chat plugin to be enabled.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-11-02
In YouPHPTube 7.4, the file install/checkConfiguration.php has no access control, which leads to everyone being able to edit the configuration file, and insert malicious PHP code.
CVSS Score
9.8
EPSS Score
0.021
Published
2019-09-09
plugin/Audit/Objects/AuditTable.php in YouPHPTube through 7.2 allows SQL Injection.
CVSS Score
5.3
EPSS Score
0.015
Published
2019-08-20
Page 1