PHP remote file inclusion vulnerability in include/common.php in Poplar Gedcom Viewer 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the env[rootPath] parameter.

Multiple cross-site scripting (XSS) vulnerabilities in index.php in Poplar Gedcom Viewer 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) text and (2) ul parameters. NOTE: the provenance of this information is unknown; t