XOOPS cross-site scripting vulnerability


XOOPS is an open source web content management system implemented in PHP.

XOOPS itself and its forum modules have multiple vulnerabilities in validating private messages and forum articles.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

  • XOOPS Cube 2.0.12 JP and earlier
  • XOOPS Cube and earlier
  • XOOPS Cube 2.2.3 RC1 and earlier


A remote attacker may upload a script to be executed by a user reading a private message or a forum article.
This may allow a remote attacker to perform a session-hijacking and manipulate the screens after the user logs in.

Vendor Information

CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2005-2338

  1. JVN : JVN#77105349
  2. National Vulnerability Database (NVD) : CVE-2005-2338
  3. Secunia Advisory : SA17300
  4. SecurityFocus : 15195
Revision History

  • [2008/05/21]
      Web page published