VYPR
← All advisories
Unrated severityNVD Advisory· Published May 19, 2010· Updated Apr 29, 2026

CVE-2010-1629

CVE-2010-1629

Description

Cross-site scripting (XSS) vulnerability in Phorum before 5.2.15 allows remote attackers to inject arbitrary web script or HTML via an invalid email address.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Phorum before 5.2.15 allows stored XSS via an invalid email address in the user profile, enabling arbitrary script execution.

Vulnerability

Phorum versions prior to 5.2.15 contain a cross-site scripting (XSS) vulnerability in the backend user profile functionality. When an attacker submits an invalid email address (e.g., one containing malicious JavaScript), the application fails to properly sanitize the input before rendering it. This allows arbitrary HTML or script injection. The issue affects all Phorum installations running a version older than 5.2.15 [1][2].

Exploitation

An attacker must be able to register or update a user profile with an invalid email address. No special network position or authentication level is required beyond standard user registration. The attacker enters a crafted email address containing XSS payload (e.g., ``) into the email field. When an administrator or other user views the profile (including backend lists), the injected script executes in their browser. This is a self-attack scenario as noted in the changelog, but it can also be triggered when other users view the attacker's profile [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive information (e.g., cookies, form data). The attacker does not achieve direct server-side compromise. The vulnerability is classified as less important by the vendor, but it still poses a risk to user data and application integrity [2].

Mitigation

Phorum version 5.2.15, released around 2010, contains the fix. Users should upgrade immediately. No workaround is provided for older releases. The issue is not listed in CISA's Known Exploited Vulnerabilities catalog. If upgrading is not feasible, administrators should restrict email field input validation or disable profile updates until the patch is applied [1][2].

References
  1. security - Re: CVE request: phorum < 5.2.15 backend XSS
  2. security - CVE request: phorum < 5.2.15 backend XSS

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

83
  • Phorum/Phorum83 versions
    cpe:2.3:a:phorum:phorum:*:*:*:*:*:*:*:*+ 82 more
    • cpe:2.3:a:phorum:phorum:*:*:*:*:*:*:*:*range: <=5.2.14
    • cpe:2.3:a:phorum:phorum:3.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.1.1a:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.1.1_pre:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.1.1_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.2.3a:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.2.3b:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.3.1a:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.3.2a:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.3.2b3:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.4.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.4.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:3.4.8a:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:4.3.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.0_alpha:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.13a:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.14a:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.15a:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.17a:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.1_alpha:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.20:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.2_alpha:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.3_beta:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.4a_beta:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.4_beta:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.5_beta:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.6_beta:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.7a_beta:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.7_beta:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.8_rc:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.1.13:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.1.14:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.1.17:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.1.18:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.1.20:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.1.21:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.1.25:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2.10:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2.10:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2.11:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2.12:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2.12a:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2.13:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2.2:beta:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2.3:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2.4:rc2:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phorum:phorum:5.2.9:*:*:*:*:*:*:*
    • (no CPE)range: <5.2.15

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.