VYPR

Xoops

by XOOPS

Source repositories

CVEs (44)

  • CVE-2017-11174CriJul 12, 2017
    risk 0.64cvss 9.8epss 0.01

    In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses.

  • CVE-2017-7290HigMar 30, 2017
    risk 0.47cvss 7.2epss 0.02

    SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program.

  • CVE-2017-12139MedAug 2, 2017
    risk 0.40cvss 6.1epss 0.01

    XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php.

  • CVE-2017-12138MedAug 2, 2017
    risk 0.40cvss 6.1epss 0.03

    XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter.

  • CVE-2017-7944MedApr 24, 2017
    risk 0.40cvss 6.1epss 0.01

    XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php.

  • CVE-2006-2516May 22, 2006
    risk 0.04cvss epss 0.06

    mainfile.php in XOOPS 2.0.13.2 and earlier, when register_globals is enabled, allows remote attackers to overwrite variables such as $xoopsOption['nocommon'] and conduct directory traversal attacks or include PHP files via (1) xoopsConfig[language] to misc.php or (2)…

  • CVE-2012-0984Sep 11, 2014
    risk 0.03cvss epss 0.04

    Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to…

  • CVE-2009-2783Aug 17, 2009
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.3.3 allow remote attackers to inject arbitrary web script or HTML via the (1) op parameter to modules/pm/viewpmsg.php and (2) query string to modules/profile/user.php.

  • CVE-2008-6884Jul 31, 2009
    risk 0.03cvss epss 0.06

    Multiple directory traversal vulnerabilities in XOOPS 2.3.1, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the xoopsConfig[language] parameter to (1) blocks.php and (2) main.php in…

  • CVE-2008-5665Dec 19, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the xhresim module in XOOPS allows remote attackers to execute arbitrary SQL commands via the no parameter.

  • CVE-2008-3295Jul 25, 2008
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in modules/system/admin.php in XOOPS 2.0.18.1 allows remote attackers to inject arbitrary web script or HTML via the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…

  • CVE-2008-3296Jul 25, 2008
    risk 0.03cvss epss 0.06

    Directory traversal vulnerability in modules/system/admin.php in XOOPS 2.0.18 1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely…

  • CVE-2008-0613Feb 6, 2008
    risk 0.03cvss epss 0.02

    Open redirect vulnerability in htdocs/user.php in XOOPS 2.0.18 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the xoops_redirect parameter.

  • CVE-2008-0611Feb 6, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in rmgs/images.php in the RMSOFT Gallery System 2.0 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-0612Feb 6, 2008
    risk 0.03cvss epss 0.03

    Directory traversal vulnerability in htdocs/install/index.php in XOOPS 2.0.18 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.

  • CVE-2006-5810Nov 8, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in modules/wfdownloads/newlist.php in XOOPS 1.0 allows remote attackers to inject arbitrary web script or HTML via the newdownloadshowdays parameter.

  • CVE-2006-0198Jan 13, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in a certain module, possibly poll or Pool, for XOOPS allows remote attackers to inject arbitrary web script or HTML via JavaScript in the SRC attribute of an IMG element in a comment.

  • CVE-2005-2112Jul 5, 2005
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) order parameter to edit.php or (2) cid parameter to comment_edit.php.

  • CVE-2005-2113Jul 5, 2005
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the loginUser function in the XMLRPC server in XOOPS 2.0.11 and earlier allows remote attackers to execute arbitrary SQL commands and bypass authentication via crafted values in an XML file, as demonstrated using the blogger.getPost method.

  • CVE-2004-2756Dec 31, 2004
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in viewtopic.php in Xoops 2.x, possibly 2 through 2.0.5, allows remote attackers to inject arbitrary web script or HTML via the (1) forum and (2) topic_id parameters.

Page 1 of 3