CVE-2017-11174

Name of the Vulnerable Software and Affected Versions XOOPS version 2.5.8.1

Description The issue is related to SQL Injection in the database settings page due to unfiltered data being passed to CREATE and ALTER SQL queries. This is caused by the use of GBK in CHARACTER SET and COLLATE clauses in the install/page dbsettings.php file of the Core distribution.

Recommendations For XOOPS version 2.5.8.1, consider restricting access to the database settings page until a patch is available, and avoid using the GBK character set in CHARACTER SET and COLLATE clauses to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.