Directory traversal vulnerability in PHPKIT 1.6.1 R2 and earlier might allow remote authenticated users to execute arbitrary PHP code via a .. (dot dot) in the path parameter and a %00 at the end of the filename, as demonstrated by an avatar filename ending with .png%00.
CVSS Score
6.5
EPSS Score
0.017
Published
2005-12-20
Multiple eval injection vulnerabilities in the help function in PHPKIT 1.6.1 R2 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary code on the server via unknown attack vectors involving uninitialized variables.
CVSS Score
5.1
EPSS Score
0.051
Published
2005-11-16
Cross-site scripting (XSS) vulnerability in popup.php in PHPKIT 1.6.03 through 1.6.1 allows remote attackers to execute arbitrary web script via the img parameter.
CVSS Score
4.3
EPSS Score
0.004
Published
2004-12-31
SQL injection vulnerability in include.php in PHPKIT 1.6.03 through 1.6.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVSS Score
7.5
EPSS Score
0.006
Published
2004-12-31
Cross-site scripting (XSS) vulnerability in include.php in PHPKIT 1.6.02 and 1.6.03 allows remote attackers to inject arbitrary web script or HTML via the contact_email parameter.
CVSS Score
6.8
EPSS Score
0.007
Published
2003-11-02