Xoops
Sign in to watchby XOOPS
CVEs (40)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-11174 | Cri | 0.64 | 9.8 | 0.00 | Jul 12, 2017 | In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses. | |
| CVE-2017-7290 | Hig | 0.47 | 7.2 | 0.01 | Mar 30, 2017 | SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program. | |
| CVE-2017-12138 | Med | 0.41 | 6.1 | 0.12 | Aug 2, 2017 | XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter. | |
| CVE-2017-12139 | Med | 0.40 | 6.1 | 0.00 | Aug 2, 2017 | XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php. | |
| CVE-2017-7944 | Med | 0.40 | 6.1 | 0.00 | Apr 24, 2017 | XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php. | |
| CVE-2012-0984 | 0.04 | — | 0.18 | Sep 11, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php. | ||
| CVE-2009-2783 | 0.04 | — | 0.07 | Aug 17, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.3.3 allow remote attackers to inject arbitrary web script or HTML via the (1) op parameter to modules/pm/viewpmsg.php and (2) query string to modules/profile/user.php. | ||
| CVE-2003-1550 | 0.04 | — | 0.08 | Dec 31, 2003 | XOOPS 2.0, and possibly earlier versions, allows remote attackers to obtain sensitive information via an invalid xoopsOption parameter, which reveals the installation path in an error message. | ||
| CVE-2008-6884 | 0.03 | — | 0.06 | Jul 31, 2009 | Multiple directory traversal vulnerabilities in XOOPS 2.3.1, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the xoopsConfig[language] parameter to (1) blocks.php and (2) main.php in xoops_lib/modules/protector/. | ||
| CVE-2008-5665 | 0.03 | — | 0.00 | Dec 19, 2008 | SQL injection vulnerability in index.php in the xhresim module in XOOPS allows remote attackers to execute arbitrary SQL commands via the no parameter. | ||
| CVE-2008-3296 | 0.03 | — | 0.01 | Jul 25, 2008 | Directory traversal vulnerability in modules/system/admin.php in XOOPS 2.0.18 1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-3295 | 0.03 | — | 0.00 | Jul 25, 2008 | Cross-site scripting (XSS) vulnerability in modules/system/admin.php in XOOPS 2.0.18.1 allows remote attackers to inject arbitrary web script or HTML via the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-0613 | 0.03 | — | 0.03 | Feb 6, 2008 | Open redirect vulnerability in htdocs/user.php in XOOPS 2.0.18 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the xoops_redirect parameter. | ||
| CVE-2008-0611 | 0.03 | — | 0.00 | Feb 6, 2008 | SQL injection vulnerability in rmgs/images.php in the RMSOFT Gallery System 2.0 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-0612 | 0.03 | — | 0.05 | Feb 6, 2008 | Directory traversal vulnerability in htdocs/install/index.php in XOOPS 2.0.18 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter. | ||
| CVE-2006-5810 | 0.03 | — | 0.00 | Nov 8, 2006 | Cross-site scripting (XSS) vulnerability in modules/wfdownloads/newlist.php in XOOPS 1.0 allows remote attackers to inject arbitrary web script or HTML via the newdownloadshowdays parameter. | ||
| CVE-2006-2516 | 0.03 | — | 0.05 | May 22, 2006 | mainfile.php in XOOPS 2.0.13.2 and earlier, when register_globals is enabled, allows remote attackers to overwrite variables such as $xoopsOption['nocommon'] and conduct directory traversal attacks or include PHP files via (1) xoopsConfig[language] to misc.php or (2) xoopsConfig[theme_set] to index.php, as demonstrated by injecting PHP sequences into a log file. | ||
| CVE-2005-2112 | 0.03 | — | 0.01 | Jul 5, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) order parameter to edit.php or (2) cid parameter to comment_edit.php. | ||
| CVE-2005-2113 | 0.03 | — | 0.01 | Jul 5, 2005 | SQL injection vulnerability in the loginUser function in the XMLRPC server in XOOPS 2.0.11 and earlier allows remote attackers to execute arbitrary SQL commands and bypass authentication via crafted values in an XML file, as demonstrated using the blogger.getPost method. | ||
| CVE-2004-2756 | 0.03 | — | 0.00 | Dec 31, 2004 | Cross-site scripting (XSS) vulnerability in viewtopic.php in Xoops 2.x, possibly 2 through 2.0.5, allows remote attackers to inject arbitrary web script or HTML via the (1) forum and (2) topic_id parameters. |
Page 1 of 2