Unrated severityNVD Advisory· Published Jan 4, 2012· Updated Apr 29, 2026

CVE-2011-4920

Description

Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.26, and other versions before 1.0.0, allow remote attackers to inject arbitrary web script or HTML via the URL to (1) e107_images/thumb.php or (2) rate.php, (3) resend_name parameter to e107_admin/users.php, and (4) link BBCode in user signatures.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple cross-site scripting vulnerabilities in e107 before 1.0.0 allow remote attackers to inject arbitrary web script or HTML via crafted URLs or user signatures.

## Vulnerability e107 versions 0.7.26 and earlier before 1.0.0 contain multiple cross-site scripting (XSS) vulnerabilities. The affected vectors include: the URL passed to e107_images/thumb.php and rate.php; the resend_name parameter in e107_admin/users.php; and the link BBCode in user signatures. These flaws allow injection of arbitrary web script or HTML.

Exploitation

An attacker can exploit the URL-based XSS by crafting a malicious link and tricking a victim into clicking it. The resend_name parameter XSS requires access to the admin panel (though no authentication is specified, it is likely an admin function). The signature XSS requires a user to have the ability to edit their signature and include malicious BBCode, which then executes when other users view the profile or posts containing the signature.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. The impact is limited to the user's session and browser.

Mitigation

The vulnerabilities are fixed in e107 version 1.0.0 [1]. Users should upgrade to this version or later. No workarounds are documented in the available references.

References

security - Re: CVE-request: Multiple e107 vulnerabilities

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

E107/E107llm-fuzzy
Range: <=0.7.26, <1.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

secunia.com/advisories/46706nvdVendor Advisory
osvdb.org/78047nvd
osvdb.org/78048nvd
osvdb.org/78049nvd
www.openwall.com/lists/oss-security/2012/01/04/3nvd
www.securityfocus.com/bid/51253nvd
exchange.xforce.ibmcloud.com/vulnerabilities/72010nvd
exchange.xforce.ibmcloud.com/vulnerabilities/72104nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000