Trabis

**Name of the Vulnerable Software and Affected Versions** XOOPS versions prior to 2.5.5 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `to userid` parameter to "modules/pm/pmlite.php" or the `current file`, `imgcat id`, or `target` parameters to "class/xoopseditor/tinymce/tinymce/jscripts/tiny mce/plugins/xoopsimagemanager/xoopsimagebrowser.php". **Recommendations** For XOOPS versions prior to 2.5.5, update to version 2.5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters `to userid`, `current file`, `imgcat id`, and `target` until a patch is applied.