Search criteria
129 vulnerabilities found for xoops by xoops
FKIE_CVE-2023-36217
Vulnerability from fkie_nvd - Published: 2023-08-03 18:15 - Updated: 2024-11-21 08:09
Severity
Summary
Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10 | Release Notes | |
| cve@mitre.org | https://www.exploit-db.com/exploits/51520 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/51520 | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "0C58EABF-44CF-4C84-9DC5-49F69872AC4C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function."
}
],
"id": "CVE-2023-36217",
"lastModified": "2024-11-21T08:09:25.340",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-03T18:15:11.397",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/51520"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/51520"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-16683
Vulnerability from fkie_nvd - Published: 2019-09-30 16:15 - Updated: 2024-11-21 04:30
Severity
Summary
An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://blog.nirajkhatiwada.com.np/cve-2019-16683-stored-cross-site-scripting/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/XOOPS/XoopsCore25/commits/master | Patch, Third Party Advisory | |
| cve@mitre.org | https://xoops.org/modules/publisher/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.nirajkhatiwada.com.np/cve-2019-16683-stored-cross-site-scripting/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/XOOPS/XoopsCore25/commits/master | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://xoops.org/modules/publisher/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "0C58EABF-44CF-4C84-9DC5-49F69872AC4C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en el administrador de im\u00e1genes en Xoops versi\u00f3n 2.5.10. Cuando se desplaza la ruta de exploraci\u00f3n (breadcrumb) que muestra el nombre de la categor\u00eda sobre la edici\u00f3n de cualquier imagen, se ejecuta una carga \u00fatil de JavaScript."
}
],
"id": "CVE-2019-16683",
"lastModified": "2024-11-21T04:30:58.603",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-30T16:15:11.167",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16683-stored-cross-site-scripting/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://xoops.org/modules/publisher/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16683-stored-cross-site-scripting/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://xoops.org/modules/publisher/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-16684
Vulnerability from fkie_nvd - Published: 2019-09-30 16:15 - Updated: 2024-11-21 04:30
Severity
Summary
An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://blog.nirajkhatiwada.com.np/cve-2019-16684-stored-cross-site-scripting/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/XOOPS/XoopsCore25/commits/master | Patch, Third Party Advisory | |
| cve@mitre.org | https://xoops.org/modules/publisher/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.nirajkhatiwada.com.np/cve-2019-16684-stored-cross-site-scripting/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/XOOPS/XoopsCore25/commits/master | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://xoops.org/modules/publisher/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "0C58EABF-44CF-4C84-9DC5-49F69872AC4C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en el administrador de im\u00e1genes en Xoops versi\u00f3n 2.5.10. Cuando cualquier imagen con una carga \u00fatil de JavaScript como su nombre se encuentra en la lista o en la p\u00e1gina Edit, se ejecuta la carga \u00fatil."
}
],
"id": "CVE-2019-16684",
"lastModified": "2024-11-21T04:30:58.743",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-30T16:15:11.227",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16684-stored-cross-site-scripting/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://xoops.org/modules/publisher/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16684-stored-cross-site-scripting/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://xoops.org/modules/publisher/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-12138
Vulnerability from fkie_nvd - Published: 2017-08-02 05:29 - Updated: 2026-05-13 00:24
Severity
Summary
XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/100091 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/XOOPS/XoopsCore25/issues/523 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/100091 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/XOOPS/XoopsCore25/issues/523 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "36D99A65-CB2B-4285-B7F0-F2EC3A1EF84E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter."
},
{
"lang": "es",
"value": "XOOPS Core 2.5.8 tiene una vulnerabilidad de omisi\u00f3n de redirecci\u00f3n de URL en /modules/profile/index.php debido al filtro URL."
}
],
"id": "CVE-2017-12138",
"lastModified": "2026-05-13T00:24:29.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-02T05:29:00.177",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100091"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/XOOPS/XoopsCore25/issues/523"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100091"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/XOOPS/XoopsCore25/issues/523"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-12139
Vulnerability from fkie_nvd - Published: 2017-08-02 05:29 - Updated: 2026-05-13 00:24
Severity
Summary
XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/100094 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/XOOPS/XoopsCore25/issues/524 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/100094 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/XOOPS/XoopsCore25/issues/524 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "36D99A65-CB2B-4285-B7F0-F2EC3A1EF84E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php."
},
{
"lang": "es",
"value": "XOOPS Core 2.5.8 tiene una vulnerabilidad de Cross-Site Scripting (XSS) en imagemanager.php por la ausencia de validaci\u00f3n de tipo MIME en htdocs/class/uploader.php."
}
],
"id": "CVE-2017-12139",
"lastModified": "2026-05-13T00:24:29.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-02T05:29:00.223",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100094"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/XOOPS/XoopsCore25/issues/524"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100094"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/XOOPS/XoopsCore25/issues/524"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-11174
Vulnerability from fkie_nvd - Published: 2017-07-12 21:29 - Updated: 2026-05-13 00:24
Severity
Summary
In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A3BA9895-4753-4BBF-9D92-7C101FAF369F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses."
},
{
"lang": "es",
"value": "En el archivo install/page_dbsettings.php en la distribuci\u00f3n Core de XOOPS versi\u00f3n 2.5.8.1, datos no filtrados pasados ??a las consultas CREATE y ALTER SQL causaron una inyecci\u00f3n SQL en la p\u00e1gina de configuraci\u00f3n de la base de datos, relacionada con el uso de GBK en las sentencias CHARACTER SET y COLLATE."
}
],
"id": "CVE-2017-11174",
"lastModified": "2026-05-13T00:24:29.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-12T21:29:00.193",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://tsublogs.wordpress.com/2017/07/12/xoops-core-2-5-8-1-install-db-sql-injection/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://tsublogs.wordpress.com/2017/07/12/xoops-core-2-5-8-1-install-db-sql-injection/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-7944
Vulnerability from fkie_nvd - Published: 2017-04-24 10:59 - Updated: 2026-05-13 00:24
Severity
Summary
XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/97978 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://tsublogs.wordpress.com/2017/04/24/xoops-core-2-5-8-1-install-db-cross-site-scripting/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/97978 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tsublogs.wordpress.com/2017/04/24/xoops-core-2-5-8-1-install-db-cross-site-scripting/ | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A3BA9895-4753-4BBF-9D92-7C101FAF369F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php."
},
{
"lang": "es",
"value": "XOOPS Core 2.5.8.1 tiene XSS debido a una salida HTML sin escape de un mensaje de error de Install DB en page_dbsettings.php."
}
],
"id": "CVE-2017-7944",
"lastModified": "2026-05-13T00:24:29.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-24T10:59:00.193",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97978"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://tsublogs.wordpress.com/2017/04/24/xoops-core-2-5-8-1-install-db-cross-site-scripting/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97978"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://tsublogs.wordpress.com/2017/04/24/xoops-core-2-5-8-1-install-db-cross-site-scripting/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-7290
Vulnerability from fkie_nvd - Published: 2017-03-30 07:59 - Updated: 2026-05-13 00:24
Severity
Summary
SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/97230 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/97230 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19 | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C1D6FAC1-B5FB-4B3C-BD59-E56996090DB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AB4B6BBE-5DB1-474F-A9CC-7717C6F58CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A3BA9895-4753-4BBF-9D92-7C101FAF369F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses \"into outfile\" to create a backdoor program."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en XOOPS 2.5.7.2 y otras versiones en versiones anteriores a 2.5.8.1 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro url para findusers.php. Un ejemplo de ataque utiliza \"into outfile\" para crear un programa de puerta trasera."
}
],
"id": "CVE-2017-7290",
"lastModified": "2026-05-13T00:24:29.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-30T07:59:00.300",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97230"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97230"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-8999
Vulnerability from fkie_nvd - Published: 2014-11-20 13:55 - Updated: 2026-05-06 22:30
Severity
Summary
SQL injection vulnerability in htdocs/modules/system/admin.php in XOOPS before 2.5.7 Final allows remote authenticated users to execute arbitrary SQL commands via the selgroups parameter.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xoops:xoops:*:final:*:*:*:*:*:*",
"matchCriteriaId": "D69AF6F8-31F5-4DB5-B1E8-992F74B01609",
"versionEndIncluding": "2.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in htdocs/modules/system/admin.php in XOOPS before 2.5.7 Final allows remote authenticated users to execute arbitrary SQL commands via the selgroups parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en htdocs/modules/system/admin.php en XOOPS anterior a 2.5.7 Final permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro selgroups."
}
],
"id": "CVE-2014-8999",
"lastModified": "2026-05-06T22:30:45.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-11-20T13:55:09.033",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/129134/XOOPS-2.5.6-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/39"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/71117"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://xoops.org/modules/news/article.php?storyid=6658"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/129134/XOOPS-2.5.6-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/39"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/71117"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://xoops.org/modules/news/article.php?storyid=6658"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2012-0984
Vulnerability from fkie_nvd - Published: 2014-09-11 14:16 - Updated: 2026-05-06 22:30
Severity
Summary
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xoops:xoops:*:*:*:*:*:*:*:*",
"matchCriteriaId": "42DF7B3A-901F-485D-9254-55678CE32D92",
"versionEndIncluding": "2.5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6DA9B414-29A9-42C8-A877-3D893ACCFF8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9EA9FCEF-9E05-4DEC-9096-C02B12C548DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B6BF6AA3-EA16-480A-B6C7-CF60DB5C1F9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.2:rc:*:*:*:*:*:*",
"matchCriteriaId": "E773063D-3692-4320-ACB2-47360165847C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xoops:xoops:2.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2E8EF024-4538-46D0-98C5-1923FBE85FC8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en XOOPS anterior a 2.5.5 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del (1) par\u00e1metro to_userid en modules/pm/pmlite.php o (2) el par\u00e1metro current_file, (3) imgcat_id, o (4) target en class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php."
}
],
"id": "CVE-2012-0984",
"lastModified": "2026-05-06T22:30:45.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-09-11T14:16:03.427",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0128.html"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/81212"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/81213"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/files/111958/XOOPS-2.5.4-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/48887"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/18753"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/53143"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://xoops.org/modules/news/article.php?storyid=6284"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75024"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/multiple_vulnerabilities_in_xoops.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0128.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/81212"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/81213"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/files/111958/XOOPS-2.5.4-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/48887"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/18753"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/53143"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://xoops.org/modules/news/article.php?storyid=6284"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75024"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/multiple_vulnerabilities_in_xoops.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-36217 (GCVE-0-2023-36217)
Vulnerability from cvelistv5 – Published: 2023-08-03 00:00 – Updated: 2024-10-17 16:13
VLAI
Summary
Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:56.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/51520"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36217",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T16:13:17.086288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T16:13:23.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10"
},
{
"url": "https://www.exploit-db.com/exploits/51520"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-36217",
"datePublished": "2023-08-03T00:00:00.000Z",
"dateReserved": "2023-06-21T00:00:00.000Z",
"dateUpdated": "2024-10-17T16:13:23.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16684 (GCVE-0-2019-16684)
Vulnerability from cvelistv5 – Published: 2019-09-30 15:28 – Updated: 2024-08-05 01:17
VLAI
Summary
An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/XOOPS/XoopsCore25/commits/master | x_refsource_MISC |
| https://xoops.org/modules/publisher/ | x_refsource_MISC |
| https://blog.nirajkhatiwada.com.np/cve-2019-16684… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:17:41.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xoops.org/modules/publisher/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16684-stored-cross-site-scripting/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-30T15:28:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://xoops.org/modules/publisher/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16684-stored-cross-site-scripting/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16684",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/XOOPS/XoopsCore25/commits/master",
"refsource": "MISC",
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"name": "https://xoops.org/modules/publisher/",
"refsource": "MISC",
"url": "https://xoops.org/modules/publisher/"
},
{
"name": "https://blog.nirajkhatiwada.com.np/cve-2019-16684-stored-cross-site-scripting/",
"refsource": "MISC",
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16684-stored-cross-site-scripting/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16684",
"datePublished": "2019-09-30T15:28:03.000Z",
"dateReserved": "2019-09-22T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:17:41.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16683 (GCVE-0-2019-16683)
Vulnerability from cvelistv5 – Published: 2019-09-30 15:15 – Updated: 2024-08-05 01:17
VLAI
Summary
An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/XOOPS/XoopsCore25/commits/master | x_refsource_MISC |
| https://xoops.org/modules/publisher/ | x_refsource_MISC |
| https://blog.nirajkhatiwada.com.np/cve-2019-16683… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:17:41.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xoops.org/modules/publisher/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16683-stored-cross-site-scripting/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-30T15:15:23.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://xoops.org/modules/publisher/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16683-stored-cross-site-scripting/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16683",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/XOOPS/XoopsCore25/commits/master",
"refsource": "MISC",
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"name": "https://xoops.org/modules/publisher/",
"refsource": "MISC",
"url": "https://xoops.org/modules/publisher/"
},
{
"name": "https://blog.nirajkhatiwada.com.np/cve-2019-16683-stored-cross-site-scripting/",
"refsource": "MISC",
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16683-stored-cross-site-scripting/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16683",
"datePublished": "2019-09-30T15:15:23.000Z",
"dateReserved": "2019-09-22T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:17:41.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12139 (GCVE-0-2017-12139)
Vulnerability from cvelistv5 – Published: 2017-08-02 05:00 – Updated: 2024-08-05 18:28
VLAI
Summary
XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/XOOPS/XoopsCore25/issues/524 | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/100094 | vdb-entryx_refsource_BID |
Date Public
2017-08-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:28:16.568Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XOOPS/XoopsCore25/issues/524"
},
{
"name": "100094",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100094"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-08-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-03T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XOOPS/XoopsCore25/issues/524"
},
{
"name": "100094",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100094"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-12139",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/XOOPS/XoopsCore25/issues/524",
"refsource": "CONFIRM",
"url": "https://github.com/XOOPS/XoopsCore25/issues/524"
},
{
"name": "100094",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100094"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-12139",
"datePublished": "2017-08-02T05:00:00.000Z",
"dateReserved": "2017-08-01T00:00:00.000Z",
"dateUpdated": "2024-08-05T18:28:16.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12138 (GCVE-0-2017-12138)
Vulnerability from cvelistv5 – Published: 2017-08-02 05:00 – Updated: 2024-08-05 18:28
VLAI
Summary
XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/100091 | vdb-entryx_refsource_BID |
| https://github.com/XOOPS/XoopsCore25/issues/523 | x_refsource_CONFIRM |
Date Public
2017-08-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:28:16.493Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "100091",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100091"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XOOPS/XoopsCore25/issues/523"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-08-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-03T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "100091",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100091"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XOOPS/XoopsCore25/issues/523"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-12138",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "100091",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100091"
},
{
"name": "https://github.com/XOOPS/XoopsCore25/issues/523",
"refsource": "CONFIRM",
"url": "https://github.com/XOOPS/XoopsCore25/issues/523"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-12138",
"datePublished": "2017-08-02T05:00:00.000Z",
"dateReserved": "2017-08-01T00:00:00.000Z",
"dateUpdated": "2024-08-05T18:28:16.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-11174 (GCVE-0-2017-11174)
Vulnerability from cvelistv5 – Published: 2017-07-12 21:00 – Updated: 2024-08-05 17:57
VLAI
Summary
In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://tsublogs.wordpress.com/2017/07/12/xoops-c… | x_refsource_MISC |
Date Public
2017-07-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:57:57.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tsublogs.wordpress.com/2017/07/12/xoops-core-2-5-8-1-install-db-sql-injection/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-12T20:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tsublogs.wordpress.com/2017/07/12/xoops-core-2-5-8-1-install-db-sql-injection/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-11174",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tsublogs.wordpress.com/2017/07/12/xoops-core-2-5-8-1-install-db-sql-injection/",
"refsource": "MISC",
"url": "https://tsublogs.wordpress.com/2017/07/12/xoops-core-2-5-8-1-install-db-sql-injection/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-11174",
"datePublished": "2017-07-12T21:00:00.000Z",
"dateReserved": "2017-07-11T00:00:00.000Z",
"dateUpdated": "2024-08-05T17:57:57.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7944 (GCVE-0-2017-7944)
Vulnerability from cvelistv5 – Published: 2017-04-24 10:00 – Updated: 2024-08-05 16:19
VLAI
Summary
XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/97978 | vdb-entryx_refsource_BID |
| https://tsublogs.wordpress.com/2017/04/24/xoops-c… | x_refsource_MISC |
Date Public
2017-04-24 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:19:29.639Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "97978",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97978"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tsublogs.wordpress.com/2017/04/24/xoops-core-2-5-8-1-install-db-cross-site-scripting/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-04-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-25T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "97978",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97978"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tsublogs.wordpress.com/2017/04/24/xoops-core-2-5-8-1-install-db-cross-site-scripting/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-7944",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "97978",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97978"
},
{
"name": "https://tsublogs.wordpress.com/2017/04/24/xoops-core-2-5-8-1-install-db-cross-site-scripting/",
"refsource": "MISC",
"url": "https://tsublogs.wordpress.com/2017/04/24/xoops-core-2-5-8-1-install-db-cross-site-scripting/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-7944",
"datePublished": "2017-04-24T10:00:00.000Z",
"dateReserved": "2017-04-18T00:00:00.000Z",
"dateUpdated": "2024-08-05T16:19:29.639Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7290 (GCVE-0-2017-7290)
Vulnerability from cvelistv5 – Published: 2017-03-30 07:00 – Updated: 2024-08-05 15:56
VLAI
Summary
SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://gist.github.com/jk1986/3b304ac6b4ae52ae66… | x_refsource_MISC |
| http://www.securityfocus.com/bid/97230 | vdb-entryx_refsource_BID |
Date Public
2017-03-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:56:36.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19"
},
{
"name": "97230",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97230"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-03-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses \"into outfile\" to create a backdoor program."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-31T09:57:02.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19"
},
{
"name": "97230",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97230"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-7290",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses \"into outfile\" to create a backdoor program."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19",
"refsource": "MISC",
"url": "https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19"
},
{
"name": "97230",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97230"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-7290",
"datePublished": "2017-03-30T07:00:00.000Z",
"dateReserved": "2017-03-28T00:00:00.000Z",
"dateUpdated": "2024-08-05T15:56:36.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8999 (GCVE-0-2014-8999)
Vulnerability from cvelistv5 – Published: 2014-11-20 11:00 – Updated: 2024-09-16 17:14
VLAI
Summary
SQL injection vulnerability in htdocs/modules/system/admin.php in XOOPS before 2.5.7 Final allows remote authenticated users to execute arbitrary SQL commands via the selgroups parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://seclists.org/fulldisclosure/2014/Nov/39 | mailing-listx_refsource_FULLDISC |
| http://packetstormsecurity.com/files/129134/XOOPS… | x_refsource_MISC |
| http://xoops.org/modules/news/article.php?storyid=6658 | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/71117 | vdb-entryx_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:33:13.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20141117 XOOPS \u003c= 2.5.6 - Blind SQL Injection",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/39"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/129134/XOOPS-2.5.6-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://xoops.org/modules/news/article.php?storyid=6658"
},
{
"name": "71117",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/71117"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in htdocs/modules/system/admin.php in XOOPS before 2.5.7 Final allows remote authenticated users to execute arbitrary SQL commands via the selgroups parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-11-20T11:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20141117 XOOPS \u003c= 2.5.6 - Blind SQL Injection",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/39"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/129134/XOOPS-2.5.6-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://xoops.org/modules/news/article.php?storyid=6658"
},
{
"name": "71117",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/71117"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8999",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in htdocs/modules/system/admin.php in XOOPS before 2.5.7 Final allows remote authenticated users to execute arbitrary SQL commands via the selgroups parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20141117 XOOPS \u003c= 2.5.6 - Blind SQL Injection",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Nov/39"
},
{
"name": "http://packetstormsecurity.com/files/129134/XOOPS-2.5.6-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/129134/XOOPS-2.5.6-SQL-Injection.html"
},
{
"name": "http://xoops.org/modules/news/article.php?storyid=6658",
"refsource": "CONFIRM",
"url": "http://xoops.org/modules/news/article.php?storyid=6658"
},
{
"name": "71117",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/71117"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8999",
"datePublished": "2014-11-20T11:00:00.000Z",
"dateReserved": "2014-11-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:14:54.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-0984 (GCVE-0-2012-0984)
Vulnerability from cvelistv5 – Published: 2014-09-11 14:00 – Updated: 2024-08-06 18:45
VLAI
Summary
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
10 references
| URL | Tags |
|---|---|
| http://osvdb.org/81212 | vdb-entryx_refsource_OSVDB |
| http://www.exploit-db.com/exploits/18753 | exploitx_refsource_EXPLOIT-DB |
| https://www.htbridge.com/advisory/multiple_vulner… | x_refsource_MISC |
| http://packetstormsecurity.org/files/111958/XOOPS… | x_refsource_MISC |
| http://xoops.org/modules/news/article.php?storyid=6284 | x_refsource_CONFIRM |
| http://archives.neohapsis.com/archives/bugtraq/20… | mailing-listx_refsource_BUGTRAQ |
| http://secunia.com/advisories/48887 | third-party-advisoryx_refsource_SECUNIA |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
| http://osvdb.org/81213 | vdb-entryx_refsource_OSVDB |
| http://www.securityfocus.com/bid/53143 | vdb-entryx_refsource_BID |
Date Public
2011-12-07 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:45:26.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "81212",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81212"
},
{
"name": "18753",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/18753"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/multiple_vulnerabilities_in_xoops.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/111958/XOOPS-2.5.4-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://xoops.org/modules/news/article.php?storyid=6284"
},
{
"name": "20120418 Multiple XSS vulnerabilities in XOOPS",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0128.html"
},
{
"name": "48887",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/48887"
},
{
"name": "xoops-pmlite-xoopsimagebrowser-xss(75024)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75024"
},
{
"name": "81213",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81213"
},
{
"name": "53143",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53143"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-12-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "81212",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81212"
},
{
"name": "18753",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/18753"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/multiple_vulnerabilities_in_xoops.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/111958/XOOPS-2.5.4-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://xoops.org/modules/news/article.php?storyid=6284"
},
{
"name": "20120418 Multiple XSS vulnerabilities in XOOPS",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0128.html"
},
{
"name": "48887",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/48887"
},
{
"name": "xoops-pmlite-xoopsimagebrowser-xss(75024)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75024"
},
{
"name": "81213",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81213"
},
{
"name": "53143",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53143"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-0984",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "81212",
"refsource": "OSVDB",
"url": "http://osvdb.org/81212"
},
{
"name": "18753",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/18753"
},
{
"name": "https://www.htbridge.com/advisory/multiple_vulnerabilities_in_xoops.html",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/multiple_vulnerabilities_in_xoops.html"
},
{
"name": "http://packetstormsecurity.org/files/111958/XOOPS-2.5.4-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/111958/XOOPS-2.5.4-Cross-Site-Scripting.html"
},
{
"name": "http://xoops.org/modules/news/article.php?storyid=6284",
"refsource": "CONFIRM",
"url": "http://xoops.org/modules/news/article.php?storyid=6284"
},
{
"name": "20120418 Multiple XSS vulnerabilities in XOOPS",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0128.html"
},
{
"name": "48887",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/48887"
},
{
"name": "xoops-pmlite-xoopsimagebrowser-xss(75024)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75024"
},
{
"name": "81213",
"refsource": "OSVDB",
"url": "http://osvdb.org/81213"
},
{
"name": "53143",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53143"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-0984",
"datePublished": "2014-09-11T14:00:00.000Z",
"dateReserved": "2012-02-02T00:00:00.000Z",
"dateUpdated": "2024-08-06T18:45:26.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36217 (GCVE-0-2023-36217)
Vulnerability from nvd – Published: 2023-08-03 00:00 – Updated: 2024-10-17 16:13
VLAI
Summary
Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:56.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/51520"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36217",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T16:13:17.086288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T16:13:23.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10"
},
{
"url": "https://www.exploit-db.com/exploits/51520"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-36217",
"datePublished": "2023-08-03T00:00:00.000Z",
"dateReserved": "2023-06-21T00:00:00.000Z",
"dateUpdated": "2024-10-17T16:13:23.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16684 (GCVE-0-2019-16684)
Vulnerability from nvd – Published: 2019-09-30 15:28 – Updated: 2024-08-05 01:17
VLAI
Summary
An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/XOOPS/XoopsCore25/commits/master | x_refsource_MISC |
| https://xoops.org/modules/publisher/ | x_refsource_MISC |
| https://blog.nirajkhatiwada.com.np/cve-2019-16684… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:17:41.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xoops.org/modules/publisher/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16684-stored-cross-site-scripting/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-30T15:28:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://xoops.org/modules/publisher/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16684-stored-cross-site-scripting/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16684",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/XOOPS/XoopsCore25/commits/master",
"refsource": "MISC",
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"name": "https://xoops.org/modules/publisher/",
"refsource": "MISC",
"url": "https://xoops.org/modules/publisher/"
},
{
"name": "https://blog.nirajkhatiwada.com.np/cve-2019-16684-stored-cross-site-scripting/",
"refsource": "MISC",
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16684-stored-cross-site-scripting/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16684",
"datePublished": "2019-09-30T15:28:03.000Z",
"dateReserved": "2019-09-22T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:17:41.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16683 (GCVE-0-2019-16683)
Vulnerability from nvd – Published: 2019-09-30 15:15 – Updated: 2024-08-05 01:17
VLAI
Summary
An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/XOOPS/XoopsCore25/commits/master | x_refsource_MISC |
| https://xoops.org/modules/publisher/ | x_refsource_MISC |
| https://blog.nirajkhatiwada.com.np/cve-2019-16683… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:17:41.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xoops.org/modules/publisher/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16683-stored-cross-site-scripting/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-30T15:15:23.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://xoops.org/modules/publisher/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16683-stored-cross-site-scripting/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16683",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/XOOPS/XoopsCore25/commits/master",
"refsource": "MISC",
"url": "https://github.com/XOOPS/XoopsCore25/commits/master"
},
{
"name": "https://xoops.org/modules/publisher/",
"refsource": "MISC",
"url": "https://xoops.org/modules/publisher/"
},
{
"name": "https://blog.nirajkhatiwada.com.np/cve-2019-16683-stored-cross-site-scripting/",
"refsource": "MISC",
"url": "https://blog.nirajkhatiwada.com.np/cve-2019-16683-stored-cross-site-scripting/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16683",
"datePublished": "2019-09-30T15:15:23.000Z",
"dateReserved": "2019-09-22T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:17:41.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12139 (GCVE-0-2017-12139)
Vulnerability from nvd – Published: 2017-08-02 05:00 – Updated: 2024-08-05 18:28
VLAI
Summary
XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/XOOPS/XoopsCore25/issues/524 | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/100094 | vdb-entryx_refsource_BID |
Date Public
2017-08-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:28:16.568Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XOOPS/XoopsCore25/issues/524"
},
{
"name": "100094",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100094"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-08-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-03T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XOOPS/XoopsCore25/issues/524"
},
{
"name": "100094",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100094"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-12139",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/XOOPS/XoopsCore25/issues/524",
"refsource": "CONFIRM",
"url": "https://github.com/XOOPS/XoopsCore25/issues/524"
},
{
"name": "100094",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100094"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-12139",
"datePublished": "2017-08-02T05:00:00.000Z",
"dateReserved": "2017-08-01T00:00:00.000Z",
"dateUpdated": "2024-08-05T18:28:16.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12138 (GCVE-0-2017-12138)
Vulnerability from nvd – Published: 2017-08-02 05:00 – Updated: 2024-08-05 18:28
VLAI
Summary
XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/100091 | vdb-entryx_refsource_BID |
| https://github.com/XOOPS/XoopsCore25/issues/523 | x_refsource_CONFIRM |
Date Public
2017-08-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:28:16.493Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "100091",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100091"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XOOPS/XoopsCore25/issues/523"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-08-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-03T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "100091",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100091"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XOOPS/XoopsCore25/issues/523"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-12138",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "100091",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100091"
},
{
"name": "https://github.com/XOOPS/XoopsCore25/issues/523",
"refsource": "CONFIRM",
"url": "https://github.com/XOOPS/XoopsCore25/issues/523"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-12138",
"datePublished": "2017-08-02T05:00:00.000Z",
"dateReserved": "2017-08-01T00:00:00.000Z",
"dateUpdated": "2024-08-05T18:28:16.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-11174 (GCVE-0-2017-11174)
Vulnerability from nvd – Published: 2017-07-12 21:00 – Updated: 2024-08-05 17:57
VLAI
Summary
In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://tsublogs.wordpress.com/2017/07/12/xoops-c… | x_refsource_MISC |
Date Public
2017-07-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:57:57.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tsublogs.wordpress.com/2017/07/12/xoops-core-2-5-8-1-install-db-sql-injection/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-12T20:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tsublogs.wordpress.com/2017/07/12/xoops-core-2-5-8-1-install-db-sql-injection/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-11174",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tsublogs.wordpress.com/2017/07/12/xoops-core-2-5-8-1-install-db-sql-injection/",
"refsource": "MISC",
"url": "https://tsublogs.wordpress.com/2017/07/12/xoops-core-2-5-8-1-install-db-sql-injection/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-11174",
"datePublished": "2017-07-12T21:00:00.000Z",
"dateReserved": "2017-07-11T00:00:00.000Z",
"dateUpdated": "2024-08-05T17:57:57.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7944 (GCVE-0-2017-7944)
Vulnerability from nvd – Published: 2017-04-24 10:00 – Updated: 2024-08-05 16:19
VLAI
Summary
XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/97978 | vdb-entryx_refsource_BID |
| https://tsublogs.wordpress.com/2017/04/24/xoops-c… | x_refsource_MISC |
Date Public
2017-04-24 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:19:29.639Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "97978",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97978"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tsublogs.wordpress.com/2017/04/24/xoops-core-2-5-8-1-install-db-cross-site-scripting/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-04-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-25T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "97978",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97978"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tsublogs.wordpress.com/2017/04/24/xoops-core-2-5-8-1-install-db-cross-site-scripting/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-7944",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "97978",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97978"
},
{
"name": "https://tsublogs.wordpress.com/2017/04/24/xoops-core-2-5-8-1-install-db-cross-site-scripting/",
"refsource": "MISC",
"url": "https://tsublogs.wordpress.com/2017/04/24/xoops-core-2-5-8-1-install-db-cross-site-scripting/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-7944",
"datePublished": "2017-04-24T10:00:00.000Z",
"dateReserved": "2017-04-18T00:00:00.000Z",
"dateUpdated": "2024-08-05T16:19:29.639Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7290 (GCVE-0-2017-7290)
Vulnerability from nvd – Published: 2017-03-30 07:00 – Updated: 2024-08-05 15:56
VLAI
Summary
SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://gist.github.com/jk1986/3b304ac6b4ae52ae66… | x_refsource_MISC |
| http://www.securityfocus.com/bid/97230 | vdb-entryx_refsource_BID |
Date Public
2017-03-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:56:36.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19"
},
{
"name": "97230",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97230"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-03-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses \"into outfile\" to create a backdoor program."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-31T09:57:02.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19"
},
{
"name": "97230",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97230"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-7290",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses \"into outfile\" to create a backdoor program."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19",
"refsource": "MISC",
"url": "https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19"
},
{
"name": "97230",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97230"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-7290",
"datePublished": "2017-03-30T07:00:00.000Z",
"dateReserved": "2017-03-28T00:00:00.000Z",
"dateUpdated": "2024-08-05T15:56:36.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8999 (GCVE-0-2014-8999)
Vulnerability from nvd – Published: 2014-11-20 11:00 – Updated: 2024-09-16 17:14
VLAI
Summary
SQL injection vulnerability in htdocs/modules/system/admin.php in XOOPS before 2.5.7 Final allows remote authenticated users to execute arbitrary SQL commands via the selgroups parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://seclists.org/fulldisclosure/2014/Nov/39 | mailing-listx_refsource_FULLDISC |
| http://packetstormsecurity.com/files/129134/XOOPS… | x_refsource_MISC |
| http://xoops.org/modules/news/article.php?storyid=6658 | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/71117 | vdb-entryx_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:33:13.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20141117 XOOPS \u003c= 2.5.6 - Blind SQL Injection",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/39"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/129134/XOOPS-2.5.6-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://xoops.org/modules/news/article.php?storyid=6658"
},
{
"name": "71117",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/71117"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in htdocs/modules/system/admin.php in XOOPS before 2.5.7 Final allows remote authenticated users to execute arbitrary SQL commands via the selgroups parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-11-20T11:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20141117 XOOPS \u003c= 2.5.6 - Blind SQL Injection",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/39"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/129134/XOOPS-2.5.6-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://xoops.org/modules/news/article.php?storyid=6658"
},
{
"name": "71117",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/71117"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8999",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in htdocs/modules/system/admin.php in XOOPS before 2.5.7 Final allows remote authenticated users to execute arbitrary SQL commands via the selgroups parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20141117 XOOPS \u003c= 2.5.6 - Blind SQL Injection",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Nov/39"
},
{
"name": "http://packetstormsecurity.com/files/129134/XOOPS-2.5.6-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/129134/XOOPS-2.5.6-SQL-Injection.html"
},
{
"name": "http://xoops.org/modules/news/article.php?storyid=6658",
"refsource": "CONFIRM",
"url": "http://xoops.org/modules/news/article.php?storyid=6658"
},
{
"name": "71117",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/71117"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8999",
"datePublished": "2014-11-20T11:00:00.000Z",
"dateReserved": "2014-11-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:14:54.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-0984 (GCVE-0-2012-0984)
Vulnerability from nvd – Published: 2014-09-11 14:00 – Updated: 2024-08-06 18:45
VLAI
Summary
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
10 references
| URL | Tags |
|---|---|
| http://osvdb.org/81212 | vdb-entryx_refsource_OSVDB |
| http://www.exploit-db.com/exploits/18753 | exploitx_refsource_EXPLOIT-DB |
| https://www.htbridge.com/advisory/multiple_vulner… | x_refsource_MISC |
| http://packetstormsecurity.org/files/111958/XOOPS… | x_refsource_MISC |
| http://xoops.org/modules/news/article.php?storyid=6284 | x_refsource_CONFIRM |
| http://archives.neohapsis.com/archives/bugtraq/20… | mailing-listx_refsource_BUGTRAQ |
| http://secunia.com/advisories/48887 | third-party-advisoryx_refsource_SECUNIA |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
| http://osvdb.org/81213 | vdb-entryx_refsource_OSVDB |
| http://www.securityfocus.com/bid/53143 | vdb-entryx_refsource_BID |
Date Public
2011-12-07 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:45:26.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "81212",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81212"
},
{
"name": "18753",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/18753"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/multiple_vulnerabilities_in_xoops.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/111958/XOOPS-2.5.4-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://xoops.org/modules/news/article.php?storyid=6284"
},
{
"name": "20120418 Multiple XSS vulnerabilities in XOOPS",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0128.html"
},
{
"name": "48887",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/48887"
},
{
"name": "xoops-pmlite-xoopsimagebrowser-xss(75024)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75024"
},
{
"name": "81213",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81213"
},
{
"name": "53143",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53143"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-12-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "81212",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81212"
},
{
"name": "18753",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/18753"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/multiple_vulnerabilities_in_xoops.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/111958/XOOPS-2.5.4-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://xoops.org/modules/news/article.php?storyid=6284"
},
{
"name": "20120418 Multiple XSS vulnerabilities in XOOPS",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0128.html"
},
{
"name": "48887",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/48887"
},
{
"name": "xoops-pmlite-xoopsimagebrowser-xss(75024)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75024"
},
{
"name": "81213",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81213"
},
{
"name": "53143",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53143"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-0984",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "81212",
"refsource": "OSVDB",
"url": "http://osvdb.org/81212"
},
{
"name": "18753",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/18753"
},
{
"name": "https://www.htbridge.com/advisory/multiple_vulnerabilities_in_xoops.html",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/multiple_vulnerabilities_in_xoops.html"
},
{
"name": "http://packetstormsecurity.org/files/111958/XOOPS-2.5.4-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/111958/XOOPS-2.5.4-Cross-Site-Scripting.html"
},
{
"name": "http://xoops.org/modules/news/article.php?storyid=6284",
"refsource": "CONFIRM",
"url": "http://xoops.org/modules/news/article.php?storyid=6284"
},
{
"name": "20120418 Multiple XSS vulnerabilities in XOOPS",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0128.html"
},
{
"name": "48887",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/48887"
},
{
"name": "xoops-pmlite-xoopsimagebrowser-xss(75024)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75024"
},
{
"name": "81213",
"refsource": "OSVDB",
"url": "http://osvdb.org/81213"
},
{
"name": "53143",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53143"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-0984",
"datePublished": "2014-09-11T14:00:00.000Z",
"dateReserved": "2012-02-02T00:00:00.000Z",
"dateUpdated": "2024-08-06T18:45:26.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}