XOOPS 'text' And 'message' Parameter Cross-Site Scripting Vulnerabilities Network Vulnerability

Summary

The host is running XOOPS and is prone to cross site scripting vulnerabilities.

Impact

Successful exploitation will allow remote attackers to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to XOOPS version 2.5.3 or later, For updates refer to http://www.xoops.org/

Insight

The flaws are due to improper validation of user-supplied input to - The 'text' parameter to include/formdhtmltextarea_preview.php (when 'html' is set to '1'), - The '[img]' BBCode tag in the 'message' parameter to pmlite.php script, which allows attacker to execute arbitrary HTML and script code on the user's browser session in the security context of an affected site.

Affected

XOOPS version 2.5.1a and prior

References

http://secunia.com/advisories/46238
http://xforce.iss.net/xforce/xfdb/70377
http://xforce.iss.net/xforce/xfdb/70378
http://xoops.org/modules/news/article.php?storyid=6094
https://www.htbridge.ch/advisory/multiple_xss_in_xoops_web_application_platform.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-4565
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apache Tomcat cal2.jsp Cross Site Scripting Vulnerability
Adobe ColdFusion Multiple Cross Site Scripting Vulnerabilities
aeNovo Database Content Disclosure Vulnerability
11in1 Cross Site Request Forgery and Local File Include Vulnerabilities
Apache Tomcat Directory Listing and File disclosure

XOOPS 'text' and 'message' Parameter Cross-Site Scripting Vulnerabilities

Take action and discover your vulnerabilities