usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism.
CVSS Score
8.8
EPSS Score
0.003
Published
2021-03-02
fpw.php in e107 through 1.0.4 does not check the user_ban field, which makes it easier for remote attackers to reset passwords by sending a pwsubmit request and leveraging access to the e-mail account of a banned user.
CVSS Score
4.3
EPSS Score
0.002
Published
2014-01-22
Cross-site scripting (XSS) vulnerability in e107_plugins/content/handlers/content_preset.php in e107 before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the query string.
CVSS Score
4.3
EPSS Score
0.006
Published
2014-01-22
Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.26, and other versions before 1.0.0, allow remote attackers to inject arbitrary web script or HTML via the URL to (1) e107_images/thumb.php or (2) rate.php, (3) resend_name parameter to e107_admin/users.php, and (4) link BBCode in user signatures.
CVSS Score
4.3
EPSS Score
0.005
Published
2012-01-04
SQL injection vulnerability in usersettings.php in e107 0.7.26, and possibly other versions before 1.0.0, allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVSS Score
5.1
EPSS Score
0.005
Published
2012-01-04
SQL injection vulnerability in image_gallery.php in the Akira Powered Image Gallery (image_gallery) plugin 0.9.6.2 for e107 allows remote attackers to execute arbitrary SQL commands via the image parameter in an image-detail action.
CVSS Score
7.5
EPSS Score
0.001
Published
2009-03-13
SQL injection vulnerability in macgurublog_menu/macgurublog.php in the MacGuru BLOG Engine plugin 2.2 for e107 allows remote attackers to execute arbitrary SQL commands via the uid parameter, a different vector than CVE-2008-2455. NOTE: it was later reported that 2.1.4 is also affected.
CVSS Score
7.5
EPSS Score
0.015
Published
2009-03-06
SQL injection vulnerability in product_details.php in the Mytipper Zogo-shop 1.15.4 plugin for e107 allows remote attackers to execute arbitrary SQL commands via the product parameter.
CVSS Score
7.5
EPSS Score
0.002
Published
2009-02-11
SQL injection vulnerability in e107chat.php in the eChat plugin 4.2 for e107, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the nick parameter.
CVSS Score
6.8
EPSS Score
0.004
Published
2009-02-10
SQL injection vulnerability in lyrics_song.php in the Lyrics (lyrics_menu) plugin 0.42 for e107 allows remote attackers to execute arbitrary SQL commands via the l_id parameter. NOTE: some of these details are obtained from third party information.
CVSS Score
7.5
EPSS Score
0.004
Published
2008-11-04
Page 1