Xoops Xoops 2.2.3

This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor	Xoops	First view	2005-11-18
Product	Xoops	Last view	2014-11-20
Version	2.2.3	Type	Application
Update	*
Edition	*
Language	*
Sofware Edition	*
Target Software	*
Target Hardware	*
Other	*

CPE Product	cpe:2.3:a:xoops:xoops

Activity : Overall

Related : CVE

	Date	Alert	Description
6.5	2014-11-20	CVE-2014-8999	SQL injection vulnerability in htdocs/modules/system/admin.php in XOOPS before 2.5.7 Final allows remote authenticated users to execute arbitrary SQL commands via the selgroups parameter.
4.3	2014-09-11	CVE-2012-0984	Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php.
4.3	2011-11-28	CVE-2011-4565	Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.5.1.a, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to include/formdhtmltextarea_preview.php or (2) img BBCODE tag within the message parameter to pmlite.php (aka Private Message). NOTE: some of these details are obtained from third party information.
5	2010-05-07	CVE-2009-4851	The activation resend function in the Profiles module in XOOPS before 2.4.1 sends activation codes in response to arbitrary activation requests, which allows remote attackers to bypass administrative approval via a request involving activate.php.
7.5	2009-11-17	CVE-2009-3963	Multiple unspecified vulnerabilities in XOOPS before 2.4.0 Final have unknown impact and attack vectors.
6.4	2005-11-18	CVE-2005-3680	Directory traversal vulnerability in editor_registry.php in XOOPS 2.2.3 allows remote attackers to read or include arbitrary local files via a .. (dot dot) in the xoopsConfig[language] parameter.

CWE : Common Weakness Enumeration

%	id	Name
50% (2)	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting')
25% (1)	CWE-264	Permissions, Privileges, and Access Controls
25% (1)	CWE-89	Improper Sanitization of Special Elements used in an SQL Command ('...

Open Source Vulnerability Database (OSVDB)

id	Description
76110	Xoops pmlite.php message Parameter [img] BBCode Tag XSS
76109	Xoops include/formdhtmltextarea_preview.php text Parameter XSS
60242	XOOPS Multiple Unspecified Issues
60074	XOOPS Profiles Module New User Activation Permission Verification Bypass
20855	XOOPS dhtmltextarea/editor_registry.php xoopsConfig[language] Parameter Trave...
20854	XOOPS koivi/editor_registry.php xoopsConfig[language] Parameter Traversal Arb...
20853	XOOPS textarea/editor_registry.php xoopsConfig[language] Parameter Traversal ...

ExploitDB Exploits

id	Description
18753	XOOPS 2.5.4 Multiple XSS Vulnerabilities

OpenVAS Exploits

id	Description
2011-12-05	Name : XOOPS 'text' and 'message' Parameter Cross-Site Scripting Vulnerabilities File : nvt/gb_xoops_text_param_mult_xss_vuln.nasl
2010-05-19	Name : XOOPS Profiles Module Activation Security Bypass Vulnerability File : nvt/gb_xoops_sec_bypass_vuln.nasl
2009-11-20	Name : XOOPS Multiple Unspecified Vulnerabilities - Nov09 File : nvt/secpod_xoops_mult_unspecified_vuln_nov09.nasl

Nessus® Vulnerability Scanner

id	Description
2009-11-10	Name: A web application on the remote host has a cross-site scripting vulnerability. File: xoops_misc_uri_xss.nasl - Type: ACT_ATTACK
2005-11-16	Name: The remote web server contains a PHP application that is affected by multiple... File: xoops_xoopsconfig_file_includes.nasl - Type: ACT_ATTACK

Copyright Security-Database 2006-2025 - Powered by themself ;) in 0.0189s

Facebook rss twitter linkedin mail