CVE-2012-0984
published 2014-09-11CVE-2012-0984: Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid…
PriorityP423medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
4.16%
89.6th percentile
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xoops | xoops | <= 2.5.4 | — |
| xoops | xoops | — | — |
| xoops | xoops | — | — |
| xoops | xoops | — | — |
| xoops | xoops | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
XOOPS 2.5.4 - Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2012-04-19·CVSS 4.3
CVE-2012-0984 [MEDIUM] XOOPS 2.5.4 - Multiple Cross-Site Scripting Vulnerabilities
XOOPS 2.5.4 - Multiple Cross-Site Scripting Vulnerabilities
---
Advisory ID: HTB23062
Product: XOOPS
Vendor: xoops.org
Vulnerable Version(s): 2.5.4 and probably prior
Tested Version: 2.5.4
Vendor Notification: 7 December 2011
Vendor Patch: 22 February 2012
Public Disclosure: 18 April 2012
Vulnerability Type: XSS (Cross Site Scripting)
CVE Reference(s): CVE-2012-0984
Solution Status: Fixed by Vendor
Risk Level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.com/advisory/ )
Advisory Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in XOOPS, which can be exploited to perform Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in XOOPS: CVE-2012-0984
1.1 Input passed via the "to_userid" PO
Exploit-DB
XOOPS 2.5.4 - '/modules/pm/pmlite.php?to_userid' Cross-Site Scripting
exploitdb·2012-04-18
CVE-2012-0984 XOOPS 2.5.4 - '/modules/pm/pmlite.php?to_userid' Cross-Site Scripting
XOOPS 2.5.4 - '/modules/pm/pmlite.php?to_userid' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/53143/info
XOOPS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
XOOPS 2.5.4 is vulnerable; other versions may be affected.
alert(document.cookie);'>
Exploit-DB
XOOPS 2.5.4 - '/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2012-04-18
CVE-2012-0984 XOOPS 2.5.4 - '/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php' Multiple Cross-Site Scripting Vulnerabilities
XOOPS 2.5.4 - '/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/53143/info
XOOPS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
XOOPS 2.5.4 is vulnerable; other versions may be affected.
alert(document.cookie);'>
alert(document.cookie);'>
alert(document.cookie);'>
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2012-04/0128.htmlhttp://osvdb.org/81212http://osvdb.org/81213http://packetstormsecurity.org/files/111958/XOOPS-2.5.4-Cross-Site-Scripting.htmlhttp://secunia.com/advisories/48887http://www.exploit-db.com/exploits/18753http://www.securityfocus.com/bid/53143http://xoops.org/modules/news/article.php?storyid=6284https://exchange.xforce.ibmcloud.com/vulnerabilities/75024https://www.htbridge.com/advisory/multiple_vulnerabilities_in_xoops.htmlhttp://archives.neohapsis.com/archives/bugtraq/2012-04/0128.htmlhttp://osvdb.org/81212http://osvdb.org/81213http://packetstormsecurity.org/files/111958/XOOPS-2.5.4-Cross-Site-Scripting.htmlhttp://secunia.com/advisories/48887http://www.exploit-db.com/exploits/18753http://www.securityfocus.com/bid/53143http://xoops.org/modules/news/article.php?storyid=6284https://exchange.xforce.ibmcloud.com/vulnerabilities/75024https://www.htbridge.com/advisory/multiple_vulnerabilities_in_xoops.html
2014-09-11
Published