CVE-2004-2294

Name of the Vulnerable Software and Affected Versions: PHP-Nuke versions 6.0 through 7.3

Description: The issue is related to a Canonicalize-before-filter error in the send review function within the Reviews module. This error allows remote attackers to inject arbitrary web script or HTML via hex-encoded XSS sequences in the text parameter. The vulnerability arises because the text parameter is checked for dangerous sequences before it is canonicalized, leading to a cross-site scripting (XSS) issue.

Recommendations: For PHP-Nuke versions 6.0 through 7.3, consider disabling the send review function in the Reviews module until a patch is available to prevent exploitation of the XSS vulnerability. Restrict access to the Reviews module to minimize the risk of cross-site scripting attacks. Avoid using the text parameter in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.