PT-2011-4993 · Xoops · Xoops

Published

2011-11-28

Updated

2017-08-29

CVE-2011-4565

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions XOOPS versions prior to 2.5.1.a

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the text parameter to "include/formdhtmltextarea preview.php" or the img BBCODE tag within the message parameter to "pmlite.php" (also known as Private Message).

Recommendations For XOOPS versions prior to 2.5.1.a, consider disabling the include/formdhtmltextarea preview.php and pmlite.php scripts until a patch is available. Restrict access to the text parameter and the img BBCODE tag within the message parameter to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2011-4565

Affected Products

Xoops

PT-2011-4993 · Xoops · Xoops

CVE-2011-4565

Weakness Enumeration

Related Identifiers

Affected Products

References · 8