National Vulnerability Database

National Vulnerability Database

National Vulnerability

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:xoops:xoops:
There are 3 matching records.
Vuln ID Summary CVSS Severity

In install/page_dbsettings.php in the Core distribution of XOOPS, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses.

Published: July 12, 2017; 05:29:00 PM -04:00
V2: 7.5 HIGH

XOOPS Core has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php.

Published: April 24, 2017; 06:59:00 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM

SQL injection vulnerability in XOOPS and other versions before allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program.

Published: March 30, 2017; 03:59:00 AM -04:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM