11 matches found
CVE-2018-17870
An issue was discovered in BTITeam XBTIT 2.5.4. The "returnto" parameter of accountchange.php is vulnerable to an open redirect, a different vulnerability than CVE-2018-15683...
CVE-2018-17870
An issue was discovered in BTITeam XBTIT 2.5.4. The "returnto" parameter of accountchange.php is vulnerable to an open redirect, a different vulnerability than CVE-2018-15683...
CVE-2018-15679
An issue was discovered in BTITeam XBTIT 2.5.4. The "keywords" parameter in the search function available at /index.php?page=forums&action=search is vulnerable to reflected cross-site scripting...
Cross site request forgery (csrf)
The newsfeed aka /index.php?page=viewnews in BTITeam XBTIT 2.5.4 has stored XSS via the title of a news item. This is also exploitable via CSRF...
Cross site scripting
An issue was discovered in BTITeam XBTIT 2.5.4. The "act" parameter in the sign-up page available at /index.php?page=signup is vulnerable to reflected cross-site scripting...
CVE-2018-16361
An issue was discovered in BTITeam XBTIT 2.5.4. news.php allows XSS via the id parameter...
CVE-2018-15679
An issue was discovered in BTITeam XBTIT 2.5.4. The "keywords" parameter in the search function available at /index.php?page=forums&action=search is vulnerable to reflected cross-site scripting...
CVE-2018-15678
BTITeam XBTIT 2.5.4 contains a reflected cross-site scripting (XSS) vulnerability in the sign-up page ( /index.php?page=signup ) via the act parameter. The NVD entry CVE-2018-15678 documents this issue with CVSS v2 base score 4.3 ( MEDIUM ) and CVSS v3 base score 6.1 ( MEDIUM ), indicating networ...
CVE-2018-15681
An issue was discovered in BTITeam XBTIT 2.5.4. When a user logs in, their password hash is rehashed using a predictable salt and stored in the "pass" cookie, which is not flagged as HTTPOnly. Due to the weak and predictable salt that is in place, an attacker who successfully steals this cookie c...
CVE-2018-15677
BTITeam XBTIT 2.5.4 contains a stored cross-site scripting (XSS) vulnerability in the newsfeed page (/index.php?page=viewnews) where the news item title is not correctly sanitized. The issue can be triggered via standard XSS and is also exploitable through CSRF. The root cause is the failure to p...
CVE-2018-15680
CVE-2018-15680 affects BTITeam XBTIT 2.5.4 where passwords in the xbtit_users table are stored as unsalted MD5 hashes. The root cause is weak password hashing, enabling context-dependent attackers to brute-force and recover cleartext passwords. Public details in the provided documents confirm the...