43 matches found
CVE-2004-2756
CVE-2004-2756 is a Cross-site Scripting (XSS) vulnerability in XOOPS. The flaw affects viewtopic.php in XOOPS 2.x (possibly up to 2.0.5) and allows remote attackers to inject arbitrary web script or HTML via the (1) forum and (2) topic_id parameters. Root cause identified in multiple sources as i...
CVE-2002-0216
CVE-2002-0216 affects XOOPS 1.0 RC1: the userinfo.php script is vulnerable to SQL injection via the uid parameter, allowing remote attackers to retrieve sensitive data. The vulnerability stems from improper handling of user input in SQL clauses (example: uid value causing a syntax error revealing...
CVE-2017-12138
XOOPS Core 2.5.8 contains an open redirect vulnerability in /modules/profile/index.php caused by the URL filter. The Nuclei template confirms an open redirect where an attacker can redirect users to a malicious site, potentially enabling phishing or other unauthorized operations. Affected softwar...
CVE-2002-2386
CVE-2002-2386 describes a cross-site scripting (XSS) vulnerability in the Quizz module for XOOPS 1.0. The issue occurs when online question development allows a javascript: URL in the SRC attribute of an IMG tag, enabling remote attackers to inject arbitrary script/HTML. The provided documents id...
CVE-2002-0217
CVE-2002-0217 affects XOOPS 1.0 RC1 — the Private Message System is vulnerable to cross-site scripting via the PM title/field or the image parameter in pmlite.php. The root cause is insufficient input filtering, allowing remote attackers to run Javascript in other users’ browsers. Documented impa...
CVE-2017-7290
XOOPS (eXtensible Object Oriented Portal System) contains a SQL injection vulnerability in findusers.php affecting XOOPS 2.5.7.2 and other versions prior to 2.5.8.1. The flaw allows authenticated remote administrators to execute arbitrary SQL commands via the url parameter to findusers.php, with ...
CVE-2008-6885
XOOPS CVE-2008-6885: is an XSS in the pmlite.php component affecting XOOPS versions 2.3.1 and 2.3.2a . An attacker can inject arbitrary web script or HTML via a STYLE attribute in a URL BBCode tag in a private message. Root cause: improper handling of STYLE attributes in BBCode within private mes...
CVE-2017-12139
CVE-2017-12139 affects XOOPS Core 2.5.8 with a stored XSS in imagemanager.php due to missing MIME type validation in htdocs/class/uploader.php. The issue is caused by inadequate validation of uploaded content, enabling an attacker to inject malicious script when the affected page is viewed. Conne...
CVE-2012-0984
The CVE-2012-0984 entry affects XOOPS before 2.5.5, with multiple XSS vulnerabilities exploitable via user-controlled inputs in several PHP scripts: to_userid (modules/pm/pmlite.php), current_file, imgcat_id, and target (class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanage...
CVE-2005-2112
XOOPS
CVE-2008-5665
CVE-2008-5665: A SQL injection vulnerability exists in the XOOPS xhresim module, specifically in index.php, allowing remote attackers to execute arbitrary SQL commands via the no parameter. The connected documents confirm the affected component (xhresim module, index.php) and the vulnerability cl...
CVE-2017-7944
CVE-2017-7944 affects XOOPS Core 2.5.8.1. The vulnerability is a cross-site scripting (XSS) flaw caused by unescaped HTML output in the Install DB failure error message shown by page_dbsettings.php. Public sources in connected documents consistently describe the issue as an XSS in XOOPS Core 2.5....
CVE-2009-4851
XOOPS Profiles Module vulnerability (pre-2.4.1) allows remote attackers to bypass administrative approval via activation resend: activation codes are sent in response to arbitrary activation requests (activate.php). Affects XOOPS Profiles Module; root cause is improper handling of activation requ...
CVE-2019-16683
The CVE-2019-16683 vulnerability affects the Xoops 2.5.10 image-manager. When editing an image, hovering the breadcrumb that shows the category name triggers a JavaScript payload, indicating a cross-site scripting issue in the image-manager component. The available sources describe the affected f...
CVE-2006-2516
This CVE (CVE-2006-2516) affects XOOPS 2.0.13.2 and earlier when PHP register_globals is enabled. An attacker can overwrite variables (e.g., $xoopsOption['nocommon']) and perform directory traversal or include PHP files by injecting PHP sequences via xoopsConfig[language] to misc.php or via xoops...
CVE-2005-2113
XOOPS <= 2.0.11 is affected by an SQL injection in the XMLRPC loginUser function that lets remote attackers execute arbitrary SQL and bypass authentication via crafted XML (e.g., blogger.getPost). The issue is documented as CVE-2005-2113; severity is HIGH (CVSS v2: AV:N/AC:L/Au:N/C:P/I:P/A:P)....
CVE-2006-5810
Affected software : XOOPS 1.0, module wfdownloads, endpoint /modules/wfdownloads/newlist.php. Vulnerability : Cross-site scripting (XSS) via the parameter newdownloadshowdays . The root cause is manipulation of user-supplied input in the vulnerable script, allowing injection of arbitrary web scri...
CVE-2002-2391
The CVE-2002-2391 entry describes a SQL injection in WebChat 1.5 (included with XOOPS 1.0) via the roomid parameter in index.php, enabling remote arbitrary SQL commands. The connected documents provide concrete details (affected software and vulnerable parameter) but do not include exploitation s...
CVE-2005-3680
The CVE-2005-3680 entry concerns XOOPS 2.2.3. It describes a directory traversal/Local File Inclusion in editor_registry.php, exploitable via a .. in the xoopsConfig[language] parameter, allowing remote attackers to read or include arbitrary local files. The affected component is XOOPS 2.2.3 (edi...
CVE-2008-0613
CVE-2008-0613 describes an open redirect vulnerability in XOOPS 2.0.18, exploitable through the xoops_redirect parameter in htdocs/user.php to redirect users to arbitrary sites. Public references (NVD, PRION, CVE List, CVELIST, etc.) confirm the issue; no explicit exploit code or active exploit s...
CVE-2009-3963
XOOPS (before version 2.4.0 Final) is cited in connected sources as having a cross-site scripting vulnerability in misc.php: the script does not sanitize the requested URI before displaying it, enabling a remote attacker to craft a URL that executes script in victims’ browsers. CVE-2009-3963 is t...
CVE-2017-11174
CVE-2017-11174 is a SQL injection vulnerability affecting XOOPS Core 2.5.8.1, in the file install/page_dbsettings.php. The issue arises from unfiltered data being passed to CREATE and ALTER SQL queries, with a specific relation to GBK in CHARACTER SET and COLLATE clauses. The vulnerability allows...
CVE-2007-0377
CVE-2007-0377 affects Xoops 2.0.16: core/kernel/group.php (id) and Weblinks/module/class/table_broken.php (lid) have unsanitized inputs leading to SQL injection. Remote attackers could potentially execute arbitrary SQL per the reported vectors. The provided documents do not specify a patch or mit...
CVE-2019-16684
CVE-2019-16684 affects Xoops 2.5.10 image-manager. A stored cross-site scripting issue occurs when an image is named with a JavaScript payload; hovering over such items in the list or Edit page causes the payload to execute. The Red Hat entry corroborates the same description. No explicit remedia...
CVE-2003-1550
CVE-2003-1550 affects XOOPS 2.0 (and possibly earlier versions). The vulnerability arises from handling a malformed xoopsOption parameter, which allows remote attackers to cause error messages that reveal the installation path, exposing sensitive information. The issue is a information disclosure...
CVE-2008-6884
CVE-2008-6884 describes multiple directory traversal vulnerabilities in XOOPS 2.3.1 where remote attackers can cause local file inclusion/execution by manipulating the xoopsConfig[language] parameter. The issue affects blocks.php and main.php inside xoops_lib/modules/protector/ and is tied to reg...
CVE-2002-1802
XSS vulnerability CVE-2002-1802 affects XOOPS 1.0 RC3. The flaw allows remote attackers to inject arbitrary script/HTML via Javascript in an IMG tag when submitting news, due to insufficient input sanitization in the news submission workflow. Impact is Cross‑Site Scripting; no exploit vectors or ...
CVE-2009-2783
XOOPS 2.3.3 is affected by multiple XSS vulnerabilities. The flaw involves unsanitized input in the op parameter of modules/pm/viewpmsg.php and in the query string of modules/profile/user.php, allowing remote attackers to inject arbitrary script/HTML. Impact is user/browser-level content manipula...
CVE-2005-2338
XOOPS XSS vulnerabilities (CVE-2005-2338) affect XOOPS 2.0.12 JP and earlier, 2.0.13.1 and earlier, and 2.2.x up to 2.2.3 RC1. The issues enable remote attackers to inject arbitrary web script or HTML via (1) modules that use the XOOPS Code and (2) the newbb forum module. Root cause is cross-site...
CVE-2008-3295
CVE-2008-3295 describes a cross-site scripting (XSS) vulnerability in XOOPS 2.0.18.1, specifically in modules/system/admin.php, where an attacker can inject arbitrary script or HTML through the fct parameter. The vulnerability is documented across multiple sources (NVD, CVE listings, and related ...
CVE-2011-3822
CVE-2011-3822 affects XOOPS 2.5.0. The vulnerability is an information disclosure where a direct request to a .php file (e.g., modules/system/xoops_version.php) can reveal the installation path in an error message. The issue is documented across multiple sources (NVD, Red Hat, OpenVAS, etc.) with...
CVE-2014-8999
CVE-2014-8999 describes an SQL injection in XOOPS prior to 2.5.7 Final. The vulnerability exists in htdocs/modules/system/admin.php via the selgroups parameter, allowing remote authenticated users to execute arbitrary SQL commands. Affected software: XOOPS (PHP-based CMS); vulnerable component: a...
CVE-2005-0743
The CVE describes an arbitrary PHP file upload flaw in XOOPS 2.0.9.2 and earlier, exploitable via the uploader.php feature because file extensions are not filtered. This allows remote attackers to upload and potentially execute PHP scripts, with impact on confidentiality, integrity, and availabil...
CVE-2008-0612
Vulnerability (CVE-2008-0612) affects XOOPS 2.0.18: a directory traversal in htdocs/install/index.php allows remote attackers to include and execute arbitrary local files by manipulating the lang parameter (using ..). This results in potential partial disclosure and modification of data and possi...
CVE-2008-2035
CVE-2008-2035 is a cross-site scripting (XSS) vulnerability affecting Bluemoon Inc. XOOPS modules: Backpack 0.91 and earlier, BmSurvey 0.84 and earlier, newbb_fileup 1.83 and earlier, News_embed (news_fileup) 1.44 and earlier, and PopnupBlog 3.19 and earlier, used with XOOPS 2.0.x, XOOPS Cube 2.1...
CVE-2007-5188
CVE-2007-5188 affects XOOPS (uploader class) in XOOPS 2.0.17.1-RC1 and earlier. The issue is an unspecified remote upload vulnerability tied to improper upload configuration in class/uploader.php and class/mimetypes.inc.php, with a possibly incomplete blacklist that omits the .php4 extension. Con...
CVE-2011-4565
CVE-2011-4565 concerns XOOPS, affecting version 2.5.1.a (and possibly earlier). It describes two cross-site scripting (XSS) vectors: (1) the text parameter to include/formdhtmltextarea_preview.php and (2) the img BBCode tag within the message parameter to pmlite.php (Private Message). The availab...
CVE-2006-4417
XOOPS contains a SQL injection vulnerability (CVE-2006-4417) in edituser.php via the user_avatar parameter, affecting XOOPS prior to version 2.0.15. The issue allows remote attackers to execute arbitrary SQL commands; no exploitation details are provided in the documents. The public references in...
CVE-2008-3296
Summary: CVE-2008-3296 affects XOOPS, specifically XOOPS 2.0.18.1, via a directory traversal in the file path handling of the admin.php module under modules/system. The underlying issue allows remote attackers to include and execute arbitrary local files by crafting a .. (dot dot) sequence in the...
CVE-2003-1453
The vulnerability is an XSS in XOOPS MytextSanitizer affecting XOOPS 1.3.5–1.3.9 and 2.0–2.0.1, exploitable via a javascript: URL in an IMG tag to inject arbitrary script/HTML. The provided documents do not include concrete exploit details, affected product versions beyond those ranges, or a reme...
CVE-2007-6675
CVE-2007-6675 affects XOOPS up to version 2.0.18. The b_system_comments_show function in htdocs/modules/system/blocks/system_blocks.php does not perform a permissions check, allowing remote attackers to read comments in restricted modules. This description is corroborated by multiple sources (NVD...
CVE-2023-36217
Xoops CMS v2.5.10 contains a Cross Site Scripting vulnerability in the category name field of the image manager function, enabling a remote attacker to execute arbitrary code. The issue is described as high-severity (CRITICAL) with CVSSv3.1 metrics; exploitation is demonstrated in public referenc...
CVE-2008-0611
CVE-2008-0611 : SQL injection in the RMSOFT Gallery System 2.0 module for XOOPS (rmgs/images.php) allows remote attackers to run arbitrary SQL via the id parameter. Affected component: rmgs/images.php in RMSOFT Gallery System 2.0 for XOOPS. Consequences: partial impact to confidentiality, integri...