Thinkphp

thinkphp

27 CVEs • 1 product

Products (1)

Click to collapse

Toggle

CVEs (27)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-9082 3Opensourcebms ThinkphpZzzcms 3Open Source Background Management System ThinkphpZzzphp Dec 9, 2025 Feb 24, 2019 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed...Show more ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.Show less
CVE-2018-18546 1Thinkphp 1Thinkphp Nov 21, 2024 Oct 21, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.
CVE-2018-18530 1Thinkphp 1Thinkphp Nov 21, 2024 Oct 19, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ThinkPHP 5.1.25 has SQL Injection via the count parameter because the library/think/db/Query.php aggregate function mishandles the aggregate variable. NOTE: a backquote character is required in the attack URI.
CVE-2018-18529 1Thinkphp 1Thinkphp Nov 21, 2024 Oct 19, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey function mishandles the key variable. NOTE: a backquote character is not required in the attack URI.
CVE-2018-17566 1Thinkphp 1Thinkphp Nov 21, 2024 Sep 26, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.
CVE-2018-16385 1Thinkphp 1Thinkphp Nov 21, 2024 Sep 3, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string.
CVE-2018-10225 1Thinkphp 1Thinkphp Nov 21, 2024 Apr 19, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 thinkphp 3.1.3 has SQL Injection via the index.php s parameter.