phpAdsNew cross-site scripting vulnerability


phpAdsNew, an open source web advertising management system, contains a cross-site scripting vulnerability.

Note that phpAdsNew is now called "Openads."

The products listed below use the same module as phpAdsNew thus they are also affected by the vulnerability.

- phpPgAds 2.0.9-pr1 and earlier
- Max Media Manager v0.1.29-rc and earlier
- Max Media Manager v0.3.30-alpha and earlier
All users of these products are encouraged to update to the latest versions provided by the developer.

The updated versions of each product are listed below:

- The updated version of phpAdsNew 2.0.9-pr1 is Openads 2.0.10.
- The updated version of phpPgAds 2.0.9-pr1 is Openads for PostgreSQL 2.0.10.
- The updated version of Max Media Manager v0.1.29-rc and v0.3.30-alpha is Openads 2.3.31.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

  • Openads 2.0 - 2.0.10
  • Openads 2.3 - 2.3.31
  • Openads (postgresql) 2.0.10


An arbitrary script may be executed on the the user's web browser if the user logged into phpAdsNew as the administrator. This may allow cookie information to be leaked or displayed contents to be falsified.

Vendor Information

CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2007-0477

  1. JVN : JVN#07274813
  2. National Vulnerability Database (NVD) : CVE-2007-0477
Revision History

  • [2008/05/21]
      Web page published