Cross-site scripting vulnerabilities in multiple Bluemoon Inc. XOOPS modules


Mutiple Bluemoon Inc. XOOPS modules are vulnerable to cross-site scripting.

Mutiple modules provided by Blumoon Inc. for XOOPS 2.0.x / XOOPS Cube 2.1 / ImpressCMS are vulnerable to cross-site scripting.

Yosuke Yamada and Hirohisa Yamaguchi of NetAgent Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Bluemoon inc.
  • Backpack version 0.91 and earlier
  • Bmsurvey version 0.84 and earlier
  • Newbb_fileup version 1.83 and earlier
  • News_embed version 1.44 ( news_fileup ) and earlier
  • PopnupBlog version 3.19 and earlier


An arbitrary script can be executed on the user's web browser.

[Update the Software]
Update the product to the latest version according to the information provided by the vendor.
Vendor Information

Bluemoon inc.
  • Bluemoon : 33
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2008-2035

  1. JVN : JVN#31351020
  2. National Vulnerability Database (NVD) : CVE-2008-2035
  3. Secunia Advisory : SA29993
  4. SecurityFocus : 28966
  5. ISS X-Force Database : 42072
Revision History

  • [2008/05/21]
      Web page published