Published:2005/10/24  Last Updated:2008/05/21

JVN#77105349
XOOPS cross-site scripting vulnerability

Overview

XOOPS is an open source web content management system implemented in PHP.
XOOPS itself and its forum modules have multiple vulnerabilities in validating private messages and forum articles.

Products Affected

  • XOOPS 2.0.12 JP and earlier
  • XOOPS 2.0.13.1 and earlier
  • XOOPS 2.2.3 RC1 and earlier

Description

Impact

A remote attacker may upload a script to be executed by a user reading a private message or a forum article.
This may allow a remote attacker to perform a session-hijacking and manipulate the screens after the user logs in.

Solution

Vendor Status

Vendor Status Last Update Vendor Notes
XOOPS Cube Core Team Vulnerable 2005/10/24

References

  1. LAC SNS Advisory No.85
    XOOPS Multiple Cross-site Scripting Vulnerabilities

JPCERT/CC Addendum

Credit

Keigo Yamazaki of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2005-2338
JVN iPedia JVNDB-2005-000864

Update History