Unrated severityNVD Advisory· Published Apr 25, 2004· Updated Apr 16, 2026

CVE-2004-1965

Description

Multiple cross-site scripting (XSS) vulnerabilities in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) redirect parameter to member.php, (2) to parameter to myhome.php (3) TID parameter to post.php, or (4) redirect parameter to index.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Members only

The AI Insight narrative is available to signed-in members. Sign in or create a free account to read it.

Affected products

Openbb/Openbbllm-fuzzy
Range: <=1.0.6

Patches

Members only

Discovered fix commits and diffs is available to signed-in members. Sign in or create a free account to read it.

Vulnerability mechanics

Root cause

"The application fails to properly sanitize user-supplied input in several parameters, allowing for the injection of arbitrary web script or HTML."

Attack vector

Remote attackers can exploit multiple cross-site scripting vulnerabilities by crafting malicious URIs. These URIs include specially crafted input in parameters such as 'redirect' in member.php and index.php, 'to' in myhome.php, and 'TID' in post.php. When a victim user clicks on such a URI, the injected script or HTML is executed within the user's browser in the context of the vulnerable website [ref_id=1]. This can lead to the theft of sensitive information, such as cookie credentials [ref_id=2].

Affected code

The vulnerabilities are present in multiple files, including member.php, myhome.php, post.php, and index.php. Specifically, the 'redirect' parameter in member.php and index.php, the 'to' parameter in myhome.php, and the 'TID' parameter in post.php are identified as susceptible to cross-site scripting attacks [ref_id=1].

What the fix does

The advisory does not specify a patch or provide details on how the vulnerabilities were fixed. It only states that vendors were contacted and planned to release a fixed version soon. Therefore, the exact changes made to remediate these issues are not detailed in the provided information.

Preconditions

networkThe attacker must be able to send a crafted URI to the victim.
inputThe crafted URI must contain malicious script or HTML within specific parameters.

Reproduction

http://www.example.com/index.php?redirect=[XSS]

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

secunia.com/advisories/11481nvdExploitVendor Advisory
securitytracker.com/idnvdExploitVendor Advisory
www.securityfocus.com/bid/10214nvdExploitVendor Advisory
marc.infonvd
exchange.xforce.ibmcloud.com/vulnerabilities/15966nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.006
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000