Detections
Analytics

XOOPS misc.php Query String XSS

medium Nessus Plugin ID 42435

Language:

Synopsis

A web application on the remote host has a cross-site scripting vulnerability.

Description

The version of XOOPS running on the remote web server has a cross- site scripting vulnerability. 'misc.php' does not sanitize the requested URI before displaying it in the response. Manipulating the query string can result in a cross-site scripting attack. A remote attacker could exploit this by tricking a user into requesting a malicious URL.

There are reportedly other unspecified vulnerabilities in this version of XOOPS, though Nessus has not checked for those issues.

Solution

Upgrade to XOOPS 2.4.0 or later.

See Also

http://www.nessus.org/u?a12c2180

https://xoops.org/modules/news/article.php?storyid=5064

Plugin Details

Severity: Medium

ID: 42435

File Name: xoops_misc_uri_xss.nasl

Version: 1.14

Type: remote

Published: 11/10/2009

Updated: 6/1/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

Required KB Items: www/xoops

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 10/26/2009

Vulnerability Publication Date: 10/2/2009

Reference Information

CVE: CVE-2009-3963

BID: 36955

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990