Vulnerabilities > CVE-2001-1524 - Cross-Site Scripting vulnerability in PHPNuke
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Cross-site scripting (XSS) vulnerability in PHP-Nuke 5.3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) uname parameter in user.php, (2) ttitle, letter and file parameters in modules.php, (3) subject, story and storyext parameters in submit.php, (4) upload parameter in admin.php and (5) fname parameter in friend.php.
Vulnerable Configurations
Exploit-Db
description PHPNuke 1.0/2.5/3.0/4.x/5.x/6.x/7.x user.php uname Parameter XSS Vulnerability. CVE-2001-1524. Webapps exploit for php platform id EDB-ID:21165 last seen 2016-02-02 modified 2001-12-03 published 2001-12-03 reporter Cabezon Aurélien source https://www.exploit-db.com/download/21165/ title PHPNuke 1.0/2.5/3.0/4.x/5.x/6.x/7.x user.php uname Parameter XSS Vulnerability description PHPNuke 1.0/2.5/3.0/4.x/5.x/6.x/7.x modules.php Multiple Parameter XSS Vulnerability. CVE-2001-1524. Webapps exploit for php platform id EDB-ID:21166 last seen 2016-02-02 modified 2001-12-03 published 2001-12-03 reporter Cabezon Aurélien source https://www.exploit-db.com/download/21166/ title PHPNuke 1.0/2.5/3.0/4.x/5.x/6.x/7.x modules.php Multiple Parameter XSS Vulnerability
References
- http://online.securityfocus.com/archive/1/245691
- http://online.securityfocus.com/archive/1/245875
- http://online.securityfocus.com/archive/82/243545
- http://online.securityfocus.com/archive/82/246603
- http://prdownloads.sourceforge.net/phpnuke/PHP-Nuke-5.5.tar.gz
- http://www.iss.net/security_center/static/7654.php
- http://www.securityfocus.com/bid/3609