Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function.
Max CVSS
9.0
EPSS Score
0.23%
Published
2023-08-03
Updated
2023-08-08
XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php.
Max CVSS
6.1
EPSS Score
0.06%
Published
2017-08-02
Updated
2017-08-04
XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter.
Max CVSS
6.1
EPSS Score
0.06%
Published
2017-08-02
Updated
2017-08-04
In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses.
Max CVSS
9.8
EPSS Score
0.14%
Published
2017-07-12
Updated
2017-07-27
XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php.
Max CVSS
6.1
EPSS Score
0.06%
Published
2017-04-24
Updated
2017-04-27
SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program.
Max CVSS
7.2
EPSS Score
0.14%
Published
2017-03-30
Updated
2017-04-03
SQL injection vulnerability in htdocs/modules/system/admin.php in XOOPS before 2.5.7 Final allows remote authenticated users to execute arbitrary SQL commands via the selgroups parameter.
Max CVSS
6.5
EPSS Score
0.11%
Published
2014-11-20
Updated
2014-11-24
Multiple unspecified vulnerabilities in XOOPS before 2.4.0 Final have unknown impact and attack vectors.
Max CVSS
7.5
EPSS Score
0.33%
Published
2009-11-17
Updated
2017-08-17
Multiple directory traversal vulnerabilities in XOOPS 2.3.1, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the xoopsConfig[language] parameter to (1) blocks.php and (2) main.php in xoops_lib/modules/protector/.
Max CVSS
6.8
EPSS Score
3.19%
Published
2009-07-31
Updated
2017-09-29
SQL injection vulnerability in index.php in the xhresim module in XOOPS allows remote attackers to execute arbitrary SQL commands via the no parameter.
Max CVSS
7.5
EPSS Score
0.06%
Published
2008-12-19
Updated
2017-09-29
Directory traversal vulnerability in modules/system/admin.php in XOOPS 2.0.18 1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Max CVSS
7.5
EPSS Score
1.09%
Published
2008-07-25
Updated
2017-08-08
Directory traversal vulnerability in htdocs/install/index.php in XOOPS 2.0.18 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.
Max CVSS
7.5
EPSS Score
0.79%
Published
2008-02-06
Updated
2018-10-15
SQL injection vulnerability in rmgs/images.php in the RMSOFT Gallery System 2.0 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter.
Max CVSS
7.5
EPSS Score
0.11%
Published
2008-02-06
Updated
2017-09-29
Unspecified vulnerability in the XOOPS uploader class in Xoops 2.0.17.1-RC1 and earlier allows remote attackers to upload arbitrary files via unspecified vectors related to improper upload configuration settings in class/uploader.php and class/mimetypes.inc.php, possibly an incomplete blacklist that omits the .php4 extension.
Max CVSS
7.5
EPSS Score
1.90%
Published
2007-10-03
Updated
2011-03-08
Multiple SQL injection vulnerabilities in Xoops 2.0.16 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in kernel/group.php in core, (2) the lid parameter in class/table_broken.php in the Weblinks module, and other unspecified vectors.
Max CVSS
7.5
EPSS Score
1.02%
Published
2007-01-19
Updated
2018-10-16
Cross-site scripting (XSS) vulnerability in modules/wfdownloads/newlist.php in XOOPS 1.0 allows remote attackers to inject arbitrary web script or HTML via the newdownloadshowdays parameter.
Max CVSS
6.8
EPSS Score
0.34%
Published
2006-11-08
Updated
2008-09-05
SQL injection vulnerability in edituser.php in Xoops before 2.0.15 allows remote attackers to execute arbitrary SQL commands via the user_avatar parameter.
Max CVSS
7.5
EPSS Score
1.03%
Published
2006-08-28
Updated
2018-10-17
Directory traversal vulnerability in editor_registry.php in XOOPS 2.2.3 allows remote attackers to read or include arbitrary local files via a .. (dot dot) in the xoopsConfig[language] parameter.
Max CVSS
6.4
EPSS Score
0.32%
Published
2005-11-18
Updated
2016-10-18
SQL injection vulnerability in the loginUser function in the XMLRPC server in XOOPS 2.0.11 and earlier allows remote attackers to execute arbitrary SQL commands and bypass authentication via crafted values in an XML file, as demonstrated using the blogger.getPost method.
Max CVSS
7.5
EPSS Score
0.30%
Published
2005-07-05
Updated
2016-10-18
The custom avatar uploading feature (uploader.php) for XOOPS 2.0.9.2 and earlier allows remote attackers to upload arbitrary PHP scripts, whose file extensions are not filtered.
Max CVSS
7.5
EPSS Score
2.69%
Published
2005-05-02
Updated
2017-07-11
SQL injection vulnerability in index.php of WebChat 1.5 included in XOOPS 1.0 allows remote attackers to execute arbitrary SQL commands via the roomid parameter.
Max CVSS
7.5
EPSS Score
0.13%
Published
2002-12-31
Updated
2008-09-05
Cross-site scripting (CSS) vulnerabilities in the Private Message System for XOOPS 1.0 RC1 allow remote attackers to execute Javascript on other web clients via (1) the Title field or a Private Message Box or (2) the image field parameter in pmlite.php.
Max CVSS
7.5
EPSS Score
1.44%
Published
2002-05-16
Updated
2008-09-11
22 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!