Nguyen Thanh Nguyen

**Name of the Vulnerable Software and Affected Versions** XOOPS version 2.5.8.1 **Description** The issue is related to SQL Injection in the database settings page due to unfiltered data being passed to CREATE and ALTER SQL queries. This is caused by the use of GBK in CHARACTER SET and COLLATE clauses in the install/page dbsettings.php file of the Core distribution. **Recommendations** For XOOPS version 2.5.8.1, consider restricting access to the database settings page until a patch is available, and avoid using the GBK character set in CHARACTER SET and COLLATE clauses to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** XOOPS Core version 2.5.8.1 **Description** The issue is related to unescaped HTML output of an Install DB failure error message in page dbsettings.php, which leads to a cross-site scripting (XSS) problem. **Recommendations** For XOOPS Core version 2.5.8.1, update to a newer version that includes the fix for this issue to prevent potential XSS attacks.