Medium

DATE	CVE	VULNERABILITY TITLE	RISK
2017-08-02	CVE-2017-12139	Cross-site Scripting vulnerability in Xoops 2.5.8 XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php. network xoops CWE-79	4.3
2017-08-02	CVE-2017-12138	Open Redirect vulnerability in Xoops 2.5.8 XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter. network xoops CWE-601	5.8
2017-04-24	CVE-2017-7944	Cross-site Scripting vulnerability in Xoops 2.5.8.1 XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php. network xoops CWE-79	4.3
2017-03-30	CVE-2017-7290	SQL Injection vulnerability in Xoops 2.5.7.2/2.5.7.3/2.5.8.1 SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. network low complexity xoops CWE-89	6.5
2014-11-20	CVE-2014-8999	SQL Injection vulnerability in Xoops 2.5.6 SQL injection vulnerability in htdocs/modules/system/admin.php in XOOPS before 2.5.7 Final allows remote authenticated users to execute arbitrary SQL commands via the selgroups parameter. network low complexity xoops CWE-89	6.5
2014-09-11	CVE-2012-0984	Cross-Site Scripting vulnerability in Xoops Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php. network xoops CWE-79	4.3
2011-11-28	CVE-2011-4565	Cross-Site Scripting vulnerability in Xoops Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.5.1.a, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to include/formdhtmltextarea_preview.php or (2) img BBCODE tag within the message parameter to pmlite.php (aka Private Message). network xoops CWE-79	4.3
2011-09-24	CVE-2011-3822	Information Exposure vulnerability in Xoops 2.5.0 XOOPS 2.5.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/system/xoops_version.php and certain other files. network low complexity xoops CWE-200	5.0
2010-05-07	CVE-2009-4851	Permissions, Privileges, and Access Controls vulnerability in Xoops The activation resend function in the Profiles module in XOOPS before 2.4.1 sends activation codes in response to arbitrary activation requests, which allows remote attackers to bypass administrative approval via a request involving activate.php. network low complexity xoops CWE-264	5.0
2009-12-20	CVE-2009-4359	Cross-Site Scripting vulnerability in Marc-Andre Lanciault Smartmedia 0.85 Cross-site scripting (XSS) vulnerability in folder.php in the SmartMedia 0.85 Beta module for XOOPS allows remote attackers to inject arbitrary web script or HTML via the categoryid parameter. network marc-andre-lanciault xoops CWE-79	4.3