Dsg

Name of the Vulnerable Software and Affected Versions: XOOPS version 2.3.1 Description: The issue allows remote attackers to include and execute arbitrary local files due to multiple directory traversal vulnerabilities. This is possible when register globals is enabled, and a .. (dot dot) is used in the `xoopsConfig[language]` parameter to access certain files, such as blocks.php and main.php in the xoops lib/modules/protector/ directory. Recommendations: For XOOPS version 2.3.1, consider disabling the register globals setting to mitigate the risk of exploitation. Additionally, restrict access to the blocks.php and main.php files in the xoops lib/modules/protector/ directory until a patch is available. Avoid using the `xoopsConfig[language]` parameter with untrusted input in the affected API endpoints.

Name of the Vulnerable Software and Affected Versions: XOOPS versions 2.3.1 through 2.3.2a Description: A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via a STYLE attribute in a URL BBcode tag in a private message. Recommendations: For versions 2.3.1 and 2.3.2a, consider disabling the private messaging feature or restricting the use of BBcode tags until a fix is available.