Filtered by vendor Xoops
Subscriptions
Filtered by product Xoops
Subscriptions
Total
59 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2008-4053 | 2 Bluemoon, Xoops | 2 Popnupblog, Xoops | 2017-08-08 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in index.php in the Bluemoon PopnupBLOG module 3.20 and 3.30 for XOOPS allow remote attackers to inject arbitrary web script or HTML via the (1) param, (2) cat_id, and (3) view parameters. | ||||
CVE-2008-3296 | 1 Xoops | 1 Xoops | 2017-08-08 | N/A |
Directory traversal vulnerability in modules/system/admin.php in XOOPS 2.0.18 1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||||
CVE-2008-3295 | 1 Xoops | 1 Xoops | 2017-08-08 | N/A |
Cross-site scripting (XSS) vulnerability in modules/system/admin.php in XOOPS 2.0.18.1 allows remote attackers to inject arbitrary web script or HTML via the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||||
CVE-2008-2035 | 2 Bluemoon, Xoops | 7 Backpack, Bmsurvey, Newbb Fileup and 4 more | 2017-08-08 | N/A |
Cross-site scripting (XSS) vulnerability in the Bluemoon, Inc. (1) BackPack 0.91 and earlier, (2) BmSurvey 0.84 and earlier, (3) newbb_fileup 1.83 and earlier, (4) News_embed (news_fileup) 1.44 and earlier, and (5) PopnupBlog 3.19 and earlier modules for XOOPS 2.0.x, XOOPS Cube 2.1, and ImpressCMS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
CVE-2003-1550 | 1 Xoops | 1 Xoops | 2017-08-08 | N/A |
XOOPS 2.0, and possibly earlier versions, allows remote attackers to obtain sensitive information via an invalid xoopsOption parameter, which reveals the installation path in an error message. | ||||
CVE-2017-12138 | 1 Xoops | 1 Xoops | 2017-08-04 | N/A |
XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter. | ||||
CVE-2017-12139 | 1 Xoops | 1 Xoops | 2017-08-04 | N/A |
XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php. | ||||
CVE-2003-1453 | 1 Xoops | 1 Xoops | 2017-07-29 | N/A |
Cross-site scripting (XSS) vulnerability in the MytextSanitizer function in XOOPS 1.3.5 through 1.3.9 and XOOPS 2.0 through 2.0.1 allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in an IMG tag. | ||||
CVE-2017-11174 | 1 Xoops | 1 Xoops | 2017-07-27 | N/A |
In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses. | ||||
CVE-2005-0743 | 1 Xoops | 1 Xoops | 2017-07-11 | N/A |
The custom avatar uploading feature (uploader.php) for XOOPS 2.0.9.2 and earlier allows remote attackers to upload arbitrary PHP scripts, whose file extensions are not filtered. | ||||
CVE-2017-7944 | 1 Xoops | 1 Xoops | 2017-04-27 | N/A |
XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php. | ||||
CVE-2017-7290 | 1 Xoops | 1 Xoops | 2017-04-03 | N/A |
SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program. | ||||
CVE-2005-3680 | 1 Xoops | 1 Xoops | 2016-10-18 | N/A |
Directory traversal vulnerability in editor_registry.php in XOOPS 2.2.3 allows remote attackers to read or include arbitrary local files via a .. (dot dot) in the xoopsConfig[language] parameter. | ||||
CVE-2005-2338 | 1 Xoops | 1 Xoops | 2016-10-18 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.12 JP and earlier, XOOPS 2.0.13.1 and earlier, and 2.2.x up to 2.2.3 RC1 allow remote attackers to inject arbitrary web script or HTML via (1) modules that use "XOOPS Code" and (2) newbb in the forum module. | ||||
CVE-2005-2113 | 1 Xoops | 1 Xoops | 2016-10-18 | N/A |
SQL injection vulnerability in the loginUser function in the XMLRPC server in XOOPS 2.0.11 and earlier allows remote attackers to execute arbitrary SQL commands and bypass authentication via crafted values in an XML file, as demonstrated using the blogger.getPost method. | ||||
CVE-2005-2112 | 1 Xoops | 1 Xoops | 2016-10-18 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) order parameter to edit.php or (2) cid parameter to comment_edit.php. | ||||
CVE-2007-5188 | 1 Xoops | 1 Xoops | 2011-03-08 | N/A |
Unspecified vulnerability in the XOOPS uploader class in Xoops 2.0.17.1-RC1 and earlier allows remote attackers to upload arbitrary files via unspecified vectors related to improper upload configuration settings in class/uploader.php and class/mimetypes.inc.php, possibly an incomplete blacklist that omits the .php4 extension. | ||||
CVE-2002-0217 | 1 Xoops | 1 Xoops | 2008-09-11 | N/A |
Cross-site scripting (CSS) vulnerabilities in the Private Message System for XOOPS 1.0 RC1 allow remote attackers to execute Javascript on other web clients via (1) the Title field or a Private Message Box or (2) the image field parameter in pmlite.php. | ||||
CVE-2002-0216 | 1 Xoops | 1 Xoops | 2008-09-11 | N/A |
userinfo.php in XOOPS 1.0 RC1 allows remote attackers to obtain sensitive information via a SQL injection attack in the "uid" parameter. |