XOOPS Arbitrary Avatar File Upload

high Nessus Network Monitor Plugin ID 2683

Synopsis

The remote host may be tricked into running an executable file.

Description

The remote host is running XOOPS, a web-portal software written in PHP. This version of XOOPS is vulnerable to a flaw where remote attackers can upload arbitrary executable code and then execute the code via a web request. An attacker exploiting this flaw would be able to execute arbitrary code within the context of the web server.

Solution

Upgrade or patch according to vendor recommendations.

See Also

http://www.xoops.org

Plugin Details

Severity: High

ID: 2683

Family: CGI

Published: 3/8/2005

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:X

Vulnerability Information

CPE: cpe:/a:xoops:xoops

Reference Information

CVE: CVE-2005-0743

BID: 12754