ID OSVDB:20233 Type osvdb Reporter OSVDB Modified 2001-12-03T05:18:10
Description
No description provided by the source
References:
Related OSVDB ID: 20232Related OSVDB ID: 20231Related OSVDB ID: 20230Related OSVDB ID: 20234
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0009.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0156.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0168.html
Mail List Post: http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0878.html
ISS X-Force ID: 7654
CVE-2001-1524
Bugtraq ID: 3609
{"cve": [{"lastseen": "2021-02-02T05:19:05", "description": "Cross-site scripting (XSS) vulnerability in PHP-Nuke 5.3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) uname parameter in user.php, (2) ttitle, letter and file parameters in modules.php, (3) subject, story and storyext parameters in submit.php, (4) upload parameter in admin.php and (5) fname parameter in friend.php.", "edition": 4, "cvss3": {}, "published": "2001-12-31T05:00:00", "title": "CVE-2001-1524", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-1524"], "modified": "2008-09-10T19:10:00", "cpe": ["cpe:/a:francisco_burzi:php-nuke:5.0.1", "cpe:/a:francisco_burzi:php-nuke:3.0", "cpe:/a:francisco_burzi:php-nuke:4.3", "cpe:/a:francisco_burzi:php-nuke:4.4.1a", "cpe:/a:francisco_burzi:php-nuke:5.0", "cpe:/a:francisco_burzi:php-nuke:5.2", "cpe:/a:francisco_burzi:php-nuke:4.0", "cpe:/a:francisco_burzi:php-nuke:4.4", "cpe:/a:francisco_burzi:php-nuke:5.3.1", "cpe:/a:francisco_burzi:php-nuke:5.2a", "cpe:/a:francisco_burzi:php-nuke:5.1"], "id": "CVE-2001-1524", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1524", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:francisco_burzi:php-nuke:5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:5.2a:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:4.4.1a:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:5.2:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:4.4:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "cvelist": ["CVE-2001-1524"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 20232](https://vulners.com/osvdb/OSVDB:20232)\n[Related OSVDB ID: 20231](https://vulners.com/osvdb/OSVDB:20231)\n[Related OSVDB ID: 20233](https://vulners.com/osvdb/OSVDB:20233)\n[Related OSVDB ID: 20234](https://vulners.com/osvdb/OSVDB:20234)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0009.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0156.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0168.html\nMail List Post: http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0878.html\nISS X-Force ID: 7654\n[CVE-2001-1524](https://vulners.com/cve/CVE-2001-1524)\nBugtraq ID: 3609\n", "modified": "2001-12-03T05:18:10", "published": "2001-12-03T05:18:10", "href": "https://vulners.com/osvdb/OSVDB:20230", "id": "OSVDB:20230", "type": "osvdb", "title": "PHP-Nuke user.php uname Variable XSS", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "cvelist": ["CVE-2001-1524"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 20232](https://vulners.com/osvdb/OSVDB:20232)\n[Related OSVDB ID: 20230](https://vulners.com/osvdb/OSVDB:20230)\n[Related OSVDB ID: 20233](https://vulners.com/osvdb/OSVDB:20233)\n[Related OSVDB ID: 20234](https://vulners.com/osvdb/OSVDB:20234)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0009.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0156.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0168.html\nMail List Post: http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0878.html\nISS X-Force ID: 7654\n[CVE-2001-1524](https://vulners.com/cve/CVE-2001-1524)\nBugtraq ID: 3609\n", "modified": "2001-12-03T05:18:10", "published": "2001-12-03T05:18:10", "href": "https://vulners.com/osvdb/OSVDB:20231", "id": "OSVDB:20231", "type": "osvdb", "title": "PHP-Nuke modules.php Multiple Variable XSS", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "cvelist": ["CVE-2001-1524"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 20231](https://vulners.com/osvdb/OSVDB:20231)\n[Related OSVDB ID: 20230](https://vulners.com/osvdb/OSVDB:20230)\n[Related OSVDB ID: 20233](https://vulners.com/osvdb/OSVDB:20233)\n[Related OSVDB ID: 20234](https://vulners.com/osvdb/OSVDB:20234)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0009.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0156.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0168.html\nMail List Post: http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0878.html\nISS X-Force ID: 7654\n[CVE-2001-1524](https://vulners.com/cve/CVE-2001-1524)\nBugtraq ID: 3609\n", "modified": "2001-12-03T05:18:10", "published": "2001-12-03T05:18:10", "href": "https://vulners.com/osvdb/OSVDB:20232", "id": "OSVDB:20232", "type": "osvdb", "title": "PHP-Nuke submit.php Multiple Variable XSS", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "cvelist": ["CVE-2001-1524"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 20232](https://vulners.com/osvdb/OSVDB:20232)\n[Related OSVDB ID: 20231](https://vulners.com/osvdb/OSVDB:20231)\n[Related OSVDB ID: 20230](https://vulners.com/osvdb/OSVDB:20230)\n[Related OSVDB ID: 20233](https://vulners.com/osvdb/OSVDB:20233)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0009.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0156.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-12/0168.html\nMail List Post: http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0878.html\nISS X-Force ID: 7654\n[CVE-2001-1524](https://vulners.com/cve/CVE-2001-1524)\nBugtraq ID: 3609\n", "modified": "2001-12-03T05:18:10", "published": "2001-12-03T05:18:10", "href": "https://vulners.com/osvdb/OSVDB:20234", "id": "OSVDB:20234", "type": "osvdb", "title": "PHP-Nuke friend.php fname Variable XSS", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-02T15:49:05", "description": "PHPNuke 1.0/2.5/3.0/4.x/5.x/6.x/7.x user.php uname Parameter XSS Vulnerability. CVE-2001-1524. Webapps exploit for php platform", "published": "2001-12-03T00:00:00", "type": "exploitdb", "title": "PHPNuke 1.0/2.5/3.0/4.x/5.x/6.x/7.x user.php uname Parameter XSS Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-1524"], "modified": "2001-12-03T00:00:00", "id": "EDB-ID:21165", "href": "https://www.exploit-db.com/exploits/21165/", "sourceData": "source: http://www.securityfocus.com/bid/3609/info\r\n\r\nPHPNuke is a website creation/maintenance tool.\r\n\r\nPHPNuke is prone to cross-site scripting attacks. It is possible to create a link to the PHPNuke user information page, 'user.php', which contains malicious script code. When the link is clicked by an unsuspecting web user, the malicious script code will be executed on the user in the context of the site running PHPNuke.\r\n\r\nThis attack may be used to steal a user's cookie-based authentication credentials for the vulnerable PHPNuke site.\r\n\r\nPostNuke is also affected by a number of these issues.\r\n\r\nThis problem has also been reported with other scripts included in the PHPNuke package. More specifically, modules.php, upload.php, friend.php and submit.php are also vulnerable under some circumstances. Different parameters to the user.php script may also be sufficient for a cross-site scripting attack.\r\n\r\nAn additional cross-site scripting vulnerability has been reported in modules.php for PostNuke.\r\n\r\n**It has been reported that the cross-site scripting issue affecting the 'ttitle' parameter of 'modules.php' script has been re-introduced in newer versions of the PHPNuke application. This issue is reported to affect versions 7.2 and prior. \r\n\r\nhttp://phpnukesite/user.php?op=userinfo&uname=<script>alert(document.cookie);</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/21165/"}, {"lastseen": "2016-02-02T15:49:16", "description": "PHPNuke 1.0/2.5/3.0/4.x/5.x/6.x/7.x modules.php Multiple Parameter XSS Vulnerability. CVE-2001-1524. Webapps exploit for php platform", "published": "2001-12-03T00:00:00", "type": "exploitdb", "title": "PHPNuke 1.0/2.5/3.0/4.x/5.x/6.x/7.x modules.php Multiple Parameter XSS Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-1524"], "modified": "2001-12-03T00:00:00", "id": "EDB-ID:21166", "href": "https://www.exploit-db.com/exploits/21166/", "sourceData": "source: http://www.securityfocus.com/bid/3609/info\r\n \r\nPHPNuke is a website creation/maintenance tool.\r\n \r\nPHPNuke is prone to cross-site scripting attacks. It is possible to create a link to the PHPNuke user information page, 'user.php', which contains malicious script code. When the link is clicked by an unsuspecting web user, the malicious script code will be executed on the user in the context of the site running PHPNuke.\r\n \r\nThis attack may be used to steal a user's cookie-based authentication credentials for the vulnerable PHPNuke site.\r\n \r\nPostNuke is also affected by a number of these issues.\r\n \r\nThis problem has also been reported with other scripts included in the PHPNuke package. More specifically, modules.php, upload.php, friend.php and submit.php are also vulnerable under some circumstances. Different parameters to the user.php script may also be sufficient for a cross-site scripting attack.\r\n \r\nAn additional cross-site scripting vulnerability has been reported in modules.php for PostNuke.\r\n \r\n**It has been reported that the cross-site scripting issue affecting the 'ttitle' parameter of 'modules.php' script has been re-introduced in newer versions of the PHPNuke application. This issue is reported to affect versions 7.2 and prior. \r\n\r\nhttp://phpnukesite/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=2&ttitle=%3Cscript%3Ealert(document.location)%3C/script%3E ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/21166/"}]}
