dignajar/nibbleblog

dignajar/nibbleblog

www.nibbleblog.com

Releases3

Frequency13 hours

Last Release over 12 years ago

Stars230

Easy, fast and free CMS Blog. All you need is PHP to work.

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2020-23356 ↗	Jan 27, 2021Wednesday, 27 January 2021, 16:15	7.5 HIGH	5 MEDIUM
dmin/kernel/api/login.class.phpin in nibbleblog v3.7.1c allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
CVE-2019-7719 ↗	Feb 11, 2019Monday, 11 February 2019, 04:29	—	7.5 HIGH
Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request.
CVE-2018-16604 ↗	Sep 6, 2018Thursday, 6 September 2018, 16:29	—	6.5 MEDIUM
An issue was discovered in Nibbleblog v4.0.5. With an admin's username and password, an attacker can execute arbitrary PHP code by changing the username because the username is surrounded by double quotes (e.g., "${phpinfo()}").
CVE-2018-6470 ↗	Feb 1, 2018Thursday, 1 February 2018, 13:29	—	5 MEDIUM
Nibbleblog 4.0.5 on macOS defaults to having .DS_Store in each directory, causing DS_Store information to leak.