CVE-2004-1957
Description
PostNuke 0.726 contains multiple cross-site scripting vulnerabilities in the Downloads, Web_links, and openwindow.php components.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PostNuke 0.726 contains multiple cross-site scripting vulnerabilities in the Downloads, Web_links, and openwindow.php components.
Vulnerability
PostNuke 0.726 (Phoenix) fails to sanitize user-supplied input in several modules. The lid and query parameters in the Downloads module, the query parameter in the Web_links module, and the hlpfile parameter in openwindow.php are not properly escaped before being reflected back to the user, allowing injection of arbitrary HTML and JavaScript. [1][2]
Exploitation
An attacker can craft a malicious URL containing the vulnerable parameters with embedded script code. No authentication is required; the victim only needs to click the link. The injected script executes in the context of the victim's browser session on the PostNuke site. [1][2]
Impact
Successful exploitation leads to cross-site scripting (XSS), enabling the attacker to steal session cookies, deface pages, or perform actions on behalf of the victim. The attack can compromise user accounts and sensitive data. [1][2]
Mitigation
The vendor released PostNuke 0.7.2.6-Patch1 on 21 April 2004 to address these issues. Users should upgrade to the patched version or apply the provided fixes. No workaround is documented. [1][2]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- www.securityfocus.com/bid/10191nvdExploitVendor Advisory
- www.waraxe.us/index.phpnvdExploitVendor Advisory
- marc.infonvd
- exchange.xforce.ibmcloud.com/vulnerabilities/15934nvd
News mentions
0No linked articles in our index yet.