CVE-2004-2020

Name of the Vulnerable Software and Affected Versions Php-Nuke versions 6.x through 7.3

Description The issue allows remote attackers to inject arbitrary HTML or web script. This can be achieved through various parameters in different modules, including the optionbox parameter in the News module, the date parameter in the Statistics module, the year, month, and month 1 parameters in the Stories Archive module, and the mode, order, and thold parameters in the Surveys module. Additionally, it is possible to inject a SQL statement to index.php, as processed by mainfile.php.

Recommendations For Php-Nuke versions 6.x through 7.3, consider disabling the vulnerable modules, such as the News, Statistics, Stories Archive, and Surveys modules, until a patch is available. Restrict access to the index.php and mainfile.php files to minimize the risk of exploitation. Avoid using the optionbox, date, year, month, month 1, mode, order, and thold parameters in the affected modules until the issue is resolved.