XOOPS Core 2.5.8.1 Install DB Cross-Site Scripting

============================================
CVE: CVE-2017-7944
============================================
Credit: Nguyen Thanh Nguyen
============================================
Dates: April 18, 2017
============================================
============================================
Product: XOOPS Core
============================================
Versions Affected: 2.5.8.1
============================================
Risk / Severity Rating: Low
============================================
Vulnerability Description and Impact:
Description: XSS occurs in page_dbsettings.php via error message when install db failed due to unescape html output.
Impact: context-dependent, such like force victim to change database name, charset, collation, or make a open redirect to some malicious site.
============================================
Solution: Don’t output what user input, or sanitize it first.
============================================
Advertisements

1 thought on “XOOPS Core 2.5.8.1 Install DB Cross-Site Scripting

  1. Pingback: SB17-121: Vulnerability Summary for the Week of April 24, 2017 – sec.uno

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s