VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 15, 2004· Updated Jun 16, 2026

CVE-2004-1818

CVE-2004-1818

Description

Cross-site scripting (XSS) vulnerability in nmimage.php in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to execute arbitrary script as other users by injecting arbitrary script into the z parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"The nmimage.php script fails to properly sanitize user-supplied input in the 'z' parameter, allowing for script injection."

Attack vector

A remote attacker can send a specially crafted POST request to the nmimage.php script, injecting arbitrary script into the 'z' parameter [ref_id=1]. This script will then be executed in the context of other users, potentially leading to cookie theft and authentication bypass [ref_id=1]. The vulnerability is present in version 0.92 of the 4nAlbum module for PHP-Nuke 6.5 through 7.0 [ref_id=2].

Affected code

The vulnerability exists in the nmimage.php script within the 4nAlbum module [ref_id=1, ref_id=2]. Specifically, the 'z' parameter is not adequately validated, allowing for cross-site scripting attacks [ref_id=1].

What the fix does

The advisory does not provide details on a specific patch or code changes. However, it indicates that the vulnerability is due to a failure of the module to validate user input [ref_id=2]. Remediation guidance suggests updating to a version where this issue is addressed, though no specific version is mentioned as fixed.

Preconditions

  • configThe affected software, 4nAlbum version 0.92, must be installed as a module for PHP-Nuke versions 6.5 through 7.0.
  • inputThe attacker must be able to send a POST request with a malicious payload in the 'z' parameter.

Reproduction

http://www.example.com/phpNukeDirectory/modules/4nalbum/public/nmimage.php?z=[xss code here] [ref_id=2]

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.