SQL injection vulnerability in session.php in LinPHA 0.9.4 allows remote attackers to execute arbitrary SQL code and bypass authentication via the (1) linpha_userid or (2) linpha_password cookies.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linpha | linpha | 0.9.0 |
| linpha | linpha | 0.9.1 |
| linpha | linpha | 0.9.2 |
| linpha | linpha | 0.9.3 |
| linpha | linpha | 0.9.4 |
Directory traversal vulnerability in LinPHA 1.0 allows remote attackers to include arbitrary files via .. (dot dot) sequences in the (1) lang parameter in docs/index.php and the language parameter in (2) install/install.php, (3) install/sec_stage_install.php, (4) install/third_stage_install.php, and (5) install/forth_stage_install.php. NOTE: direct static code injection is resultant from this issue, as demonstrated by inserting PHP code into the username, which is inserted into linpha.log, which is accessible from the directory traversal.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linpha | linpha | 0.9.0 |
| linpha | linpha | 1.0 |
| linpha | linpha | 0.9.1 |
| linpha | linpha | 0.9.2 |
| linpha | linpha | 0.9.3 |
| linpha | linpha | 0.9.4 |
Multiple cross-site scripting (XSS) vulnerabilities in stats_view.php in LinPHA 1.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, and (3) date parameter.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linpha | linpha | 1.1.0 |
Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1.1.1 allow remote attackers to inject arbitrary web script or HTML via (1) RSS/RSS.php and (2) possibly other vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linpha | linpha | 1.0 |
| linpha | linpha | 1.1.0 |
SQL injection vulnerability in functions/db_api.php in LinPHA 1.1.1 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linpha | linpha | 1.0 |
| linpha | linpha | 1.1.0 |
LinPHA 1.3.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by viewer.php and certain other files.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linpha | linpha | 1.3.4 |
Cross-site scripting (XSS) vulnerability in LinPHA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linpha | linpha | - |