Total
11 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6469 | 1 Playsms | 1 Playsms | 2024-07-05 | 3.3 LOW | 8.8 HIGH |
| A vulnerability was found in playSMS 1.4.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?app=main&inc=feature_firewall&op=firewall_list of the component Template Handler. The manipulation of the argument IP address with the input {{`id`} leads to injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-270277 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-47034 | 1 Playsms | 1 Playsms | 2024-02-04 | N/A | 9.8 CRITICAL |
| A type juggling vulnerability in the component /auth/fn.php of PlaySMS v1.4.5 and earlier allows attackers to bypass authentication. | |||||
| CVE-2021-40373 | 1 Playsms | 1 Playsms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and then executing that code via the index.php?app=main&inc=core_welcome URI. | |||||
| CVE-2020-15018 | 1 Playsms | 1 Playsms | 2024-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| playSMS through 1.4.3 is vulnerable to session fixation. | |||||
| CVE-2020-8644 | 1 Playsms | 1 Playsms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| PlaySMS before 1.4.3 does not sanitize inputs from a malicious string. | |||||
| CVE-2017-9080 | 1 Playsms | 1 Playsms | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection. | |||||
| CVE-2017-9101 | 1 Playsms | 1 Playsms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file. | |||||
| CVE-2008-5881 | 1 Playsms | 1 Playsms | 2024-02-04 | 7.5 HIGH | N/A |
| Multiple directory traversal vulnerabilities in playSMS 0.9.3 allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) gateway_module parameter to plugin/gateway/gnokii/init.php and the (2) themes_module parameter to plugin/themes/default/init.php. | |||||
| CVE-2009-0103 | 1 Playsms | 1 Playsms | 2024-02-04 | 7.5 HIGH | N/A |
| Multiple PHP remote file inclusion vulnerabilities in playSMS 0.9.3 allow remote attackers to execute arbitrary PHP code via a URL in the (1) apps_path[plug] parameter to plugin/gateway/gnokii/init.php, the (2) apps_path[themes] parameter to plugin/themes/default/init.php, and the (3) apps_path[libs] parameter to lib/function.php. | |||||
| CVE-2004-2263 | 1 Playsms | 1 Playsms | 2024-02-04 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the valid function in fr_left.php in PlaySMS 0.7 and earlier allows remote attackers to modify SQL statements via the vc2 cookie. | |||||
| CVE-2005-4432 | 1 Playsms | 1 Playsms | 2024-02-04 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in PlaySMS 0.8 allows remote attackers to inject arbitrary web script or HTML via the err parameter. | |||||