CVE-2011-4565

Name of the Vulnerable Software and Affected Versions XOOPS versions prior to 2.5.1.a

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the text parameter to "include/formdhtmltextarea preview.php" or the img BBCODE tag within the message parameter to "pmlite.php" (also known as Private Message).

Recommendations For XOOPS versions prior to 2.5.1.a, consider disabling the include/formdhtmltextarea preview.php and pmlite.php scripts until a patch is available. Restrict access to the text parameter and the img BBCODE tag within the message parameter to minimize the risk of exploitation.