CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Xoops : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-3935 89 Exec Code Sql 2014-06-02 2014-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in glossaire-aff.php in the Glossaire module 1.0 for XOOPS allows remote attackers to execute arbitrary SQL commands via the lettre parameter.
2 CVE-2011-4565 79 XSS 2011-11-28 2011-11-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.5.1.a, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to include/formdhtmltextarea_preview.php or (2) img BBCODE tag within the message parameter to pmlite.php (aka Private Message). NOTE: some of these details are obtained from third party information.
3 CVE-2011-3822 200 +Info 2011-09-23 2012-05-21
5.0
None Remote Low Not required Partial None None
XOOPS 2.5.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/system/xoops_version.php and certain other files.
4 CVE-2009-4851 264 Bypass 2010-05-07 2010-05-13
5.0
None Remote Low Not required None Partial None
The activation resend function in the Profiles module in XOOPS before 2.4.1 sends activation codes in response to arbitrary activation requests, which allows remote attackers to bypass administrative approval via a request involving activate.php.
5 CVE-2009-4582 89 1 Exec Code Sql 2010-01-06 2010-01-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in detail.php in the Dictionary module for XOOPS 2.0.18 allows remote attackers to execute arbitrary SQL commands via the id parameter.
6 CVE-2009-3963 2009-11-17 2009-11-18
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in XOOPS before 2.4.0 Final have unknown impact and attack vectors.
7 CVE-2009-2783 79 XSS 2009-08-17 2013-08-14
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.3.3 allow remote attackers to inject arbitrary web script or HTML via the (1) op parameter to modules/pm/viewpmsg.php and (2) query string to modules/profile/user.php.
8 CVE-2008-7178 22 1 Dir. Trav. 2009-09-08 2009-09-08
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in Uploader module 1.1 for XOOPS allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a downloadfile action to index.php.
9 CVE-2008-6885 79 XSS 2009-07-31 2009-08-03
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in pmlite.php in XOOPS 2.3.1 and 2.3.2a allows remote attackers to inject arbitrary web script or HTML via a STYLE attribute in a URL BBcode tag in a private message.
10 CVE-2008-6884 22 1 Dir. Trav. 2009-07-31 2009-08-03
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in XOOPS 2.3.1, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the xoopsConfig[language] parameter to (1) blocks.php and (2) main.php in xoops_lib/modules/protector/.
11 CVE-2008-5665 89 1 Exec Code Sql 2008-12-18 2009-01-29
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in the xhresim module in XOOPS allows remote attackers to execute arbitrary SQL commands via the no parameter.
12 CVE-2008-4653 89 1 Exec Code Sql 2008-10-21 2012-10-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in makale.php in Makale 0.26 and possibly other versions, a module for XOOPS, allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: some of these details are obtained from third party information.
13 CVE-2008-4435 79 XSS 2008-10-03 2009-07-23
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the RMSOFT Downloads Plus (rmdp) module 1.5 and 1.7 for Xoops allow remote attackers to inject arbitrary web script or HTML via the (1) key parameter to search.php and the (2) id parameter to down.php.
14 CVE-2008-4433 89 Exec Code Sql 2008-10-03 2009-02-18
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in search.php in the RMSOFT MiniShop module 1.0 for Xoops might allow remote attackers to execute arbitrary SQL commands via the itemsxpag parameter.
15 CVE-2008-4432 79 XSS 2008-10-03 2008-10-06
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in search.php in the RMSOFT MiniShop module 1.0 for Xoops allows remote attackers to inject arbitrary web script or HTML via the itemsxpag parameter.
16 CVE-2008-3560 79 XSS 2008-08-08 2009-03-18
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in kshop_search.php in the Kshop module 2.22 for Xoops allows remote attackers to inject arbitrary web script or HTML via the search parameter.
17 CVE-2008-3296 22 Dir. Trav. 2008-07-25 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in modules/system/admin.php in XOOPS 2.0.18 1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
18 CVE-2008-3295 79 XSS 2008-07-25 2008-09-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in modules/system/admin.php in XOOPS 2.0.18.1 allows remote attackers to inject arbitrary web script or HTML via the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
19 CVE-2008-2094 89 Exec Code Sql 2008-05-06 2009-01-29
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in article.php in the Article module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter.
20 CVE-2008-2035 79 XSS 2008-04-30 2008-09-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Bluemoon, Inc. (1) BackPack 0.91 and earlier, (2) BmSurvey 0.84 and earlier, (3) newbb_fileup 1.83 and earlier, (4) News_embed (news_fileup) 1.44 and earlier, and (5) PopnupBlog 3.19 and earlier modules for XOOPS 2.0.x, XOOPS Cube 2.1, and ImpressCMS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
21 CVE-2008-1351 89 1 Exec Code Sql 2008-03-17 2009-09-01
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Tutorials 2.1b module for XOOPS allows remote attackers to execute arbitrary SQL commands via the tid parameter to printpage.php, which is accessible directly or through a printpage action to index.php.
22 CVE-2008-1065 89 Exec Code Sql 2008-02-28 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in index.php in the XM-Memberstats (xmmemberstats) 2.0e module for XOOPS allow remote attackers to execute arbitrary SQL commands via the (1) letter or (2) sortby parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
23 CVE-2008-1064 79 XSS 2008-02-28 2008-09-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in images.php in the Red Mexico RMSOFT Gallery System (GS) 2.0 module (aka rmgs) for XOOPS allows remote attackers to inject arbitrary web script or HTML via the q parameter.
24 CVE-2008-1063 79 XSS 2008-02-28 2008-09-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability index.php in the XM-Memberstats (xmmemberstats) module for XOOPS allows remote attackers to inject arbitrary web script or HTML via the sortby parameter.
25 CVE-2008-0937 89 Exec Code Sql 2008-02-25 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in the Tiny Event (tinyevent) 1.01 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter in a print action, a different vector than CVE-2007-1811.
26 CVE-2008-0936 89 Exec Code Sql 2008-02-25 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in the Prayer List (prayerlist) 1.04 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action.
27 CVE-2008-0874 89 1 Exec Code Sql 2008-02-21 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in the eEmpregos module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action.
28 CVE-2008-0847 89 1 Exec Code Sql 2008-02-20 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in print.php in the myTopics module for XOOPS allows remote attackers to execute arbitrary SQL commands via the articleid parameter.
29 CVE-2008-0613 59 1 2008-02-06 2008-09-05
5.0
None Remote Low Not required None Partial None
Open redirect vulnerability in htdocs/user.php in XOOPS 2.0.18 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the xoops_redirect parameter.
30 CVE-2008-0612 22 1 Dir. Trav. 2008-02-06 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in htdocs/install/index.php in XOOPS 2.0.18 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.
31 CVE-2008-0611 89 1 Exec Code Sql 2008-02-06 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in rmgs/images.php in the RMSOFT Gallery System 2.0 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter.
32 CVE-2008-0138 89 1 Exec Code Sql File Inclusion 2008-01-08 2008-09-05
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in xoopsgallery/init_basic.php in the mod_gallery module for XOOPS, when register_globals is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter.
33 CVE-2007-6675 264 2008-01-08 2008-09-05
5.0
None Remote Low Not required None Partial None
The b_system_comments_show function in htdocs/modules/system/blocks/system_blocks.php in XOOPS before 2.0.18 does not check permissions, which allows remote attackers to read the comments in restricted modules.
34 CVE-2007-5978 89 Exec Code Sql 2007-11-14 2008-11-15
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in brokenlink.php in the mylinks module for XOOPS allows remote attackers to execute arbitrary SQL commands via the lid parameter.
35 CVE-2007-5188 2007-10-03 2008-11-15
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the XOOPS uploader class in Xoops 2.0.17.1-RC1 and earlier allows remote attackers to upload arbitrary files via unspecified vectors related to improper upload configuration settings in class/uploader.php and class/mimetypes.inc.php, possibly an incomplete blacklist that omits the .php4 extension.
36 CVE-2007-3311 1 Exec Code Sql 2007-06-21 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in print.php in the Articles 1.02 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter.
37 CVE-2007-3289 1 Exec Code File Inclusion 2007-06-20 2008-11-15
7.5
User Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in spaw/spaw_control.class.php in the WiwiMod 0.4 module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter. NOTE: this issue is probably a duplicate of CVE-2006-4656.
38 CVE-2007-3237 1 Exec Code File Inclusion 2007-06-14 2012-10-30
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in admin/spaw/spaw_control.class.php in the TinyContent 1.5 module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter. NOTE: this issue is probably a duplicate of CVE-2006-4656.
39 CVE-2007-3236 1 Exec Code File Inclusion 2007-06-14 2012-10-30
7.5
User Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in footer.php in the Horoscope 1.0 module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the xoopsConfig[root_path] parameter.
40 CVE-2007-3222 1 Exec Code File Inclusion 2007-06-14 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in modify.php in the XFsection 1.07 module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the dir_module parameter.
41 CVE-2007-3221 1 Exec Code File Inclusion 2007-06-14 2008-11-15
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in admin/spaw/spaw_control.class.php in the XT-Conteudo module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter. NOTE: this issue is probably a duplicate of CVE-2006-4656.
42 CVE-2007-3220 1 Exec Code File Inclusion 2007-06-14 2008-11-15
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in admin/editor2/spaw_control.class.php in the Cjay Content 3 module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter. NOTE: this may be a duplicate of CVE-2006-4656.
43 CVE-2007-3057 1 Exec Code File Inclusion 2007-06-05 2012-11-05
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in include/wysiwyg/spaw_control.class.php in the icontent 4.5 module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter. NOTE: this issue is probably a duplicate of CVE-2006-4656.
44 CVE-2007-2738 1 Exec Code Sql 2007-05-17 2012-11-05
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in glossaire-p-f.php in the Glossaire 1.7 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the sid parameter in an ImprDef action.
45 CVE-2007-2737 Exec Code Sql 2007-05-17 2008-11-15
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in the MyConference 1.0 module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
46 CVE-2007-2571 89 1 Exec Code Sql 2007-05-09 2011-08-05
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in the wfquotes 1.0 0 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the c parameter in a cat action.
47 CVE-2007-2543 1 Exec Code Sql 2007-05-08 2008-11-15
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in game.php in the Flashgames 1.0.1 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the lid parameter.
48 CVE-2007-2370 1 Exec Code Sql 2007-04-30 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in the John Mordo Jobs 2.4 and earlier module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a jobsview action. NOTE: the module name was originally reported as Job Listings.
49 CVE-2007-1979 1 Exec Code Sql 2007-04-11 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in the PopnupBlog 2.52 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the postid parameter, possibly involving the get_blogid_from_postid function in class/PopnupBlogUtils.php. NOTE: later versions such as 3.03 and 3.05 might also be affected.
50 CVE-2007-1976 1 Exec Code File Inclusion 2007-04-11 2008-11-13
7.5
User Remote Low Not required Partial Partial Partial
** DISPUTED ** PHP remote file inclusion vulnerability in index.php in the Virii Info 1.10 and earlier module for Xoops allows remote attackers to execute arbitrary PHP code via a URL in the xoopsConfig[root_path] parameter. NOTE: the issue has been disputed by a reliable third party, stating that the application's checkSuperglobals function defends against the attack.
Total number of vulnerabilities : 81   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.