CVE-2004-1957
published 2004-04-21CVE-2004-1957: Multiple cross-site scripting (XSS) vulnerabilities in PostNuke 0.726 allows remote attackers to inject arbitrary web script or HTML via the (1) lid and query…
PriorityP419low2.6CVSS 2.0
AVNACHAuNCNIPAN
EXPLOIT
EPSS
4.59%
90.5th percentile
Multiple cross-site scripting (XSS) vulnerabilities in PostNuke 0.726 allows remote attackers to inject arbitrary web script or HTML via the (1) lid and query parameters to the Downloads module, (2) query parameter to the Web_links module, or (3) hlpfile parameter to openwindow.php.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PostNuke Phoenix 0.726 - 'openwindow.php?hlpfile' Cross-Site Scripting
exploitdb·2004-04-21
CVE-2004-1957 PostNuke Phoenix 0.726 - 'openwindow.php?hlpfile' Cross-Site Scripting
PostNuke Phoenix 0.726 - 'openwindow.php?hlpfile' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/10191/info
Multiple vulnerabilities were reported to exist in PostNuke Phoenix. The following specific vulnerabilities were reported:
- Multiple path disclosure vulnerabilities that occur when a user directly requests scripts in the "/includes/blocks/" and "pnadodb" directories. This issue also affects scripts that are associated in multiple modules.
- Multiple cross-site scripting vulnerabilities were reported in the Downloads and Web_Links modules as well as the openwindow.php script. These issues may permit remote attackers to cause hostile HTML and script code to be interpreted by a victim user's browser.
http://www.example.com/postnuke0726/javascript/openwindow.ph
Exploit-DB
PostNuke 0.6/0.7 Downloads Module - TTitle Cross-Site Scripting
exploitdb·2003-08-08
CVE-2004-1957 PostNuke 0.6/0.7 Downloads Module - TTitle Cross-Site Scripting
PostNuke 0.6/0.7 Downloads Module - TTitle Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/8374/info
It has been reported that a cross site scripting vulnerability exists in the Downlaods and Web_Links modules of PostNuke. It is possible that an attacker may construct a link containing malicious script code that could be executed in a browser of a user who visits the link.
Exploitation could allow theft of authentication cookies.
http://www.example.com/[PATH]/modules.php?
op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=[ID]
&ttitle=[Yeye XSS ;-)]"%3e[XSS ATTACK]
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=108258902000472&w=2http://www.securityfocus.com/bid/10191http://www.waraxe.us/index.php?modname=sa&id=22https://exchange.xforce.ibmcloud.com/vulnerabilities/15934http://marc.info/?l=bugtraq&m=108258902000472&w=2http://www.securityfocus.com/bid/10191http://www.waraxe.us/index.php?modname=sa&id=22https://exchange.xforce.ibmcloud.com/vulnerabilities/15934
2004-04-21
Published