| Vulnerability Name: | CCN-21148 | ||||||
| Published: | 2005-06-27 | ||||||
| Updated: | 2005-06-27 | ||||||
| Summary: | PHP-Nuke is vulnerable to cross-site scripting. If the 'Enable remote avatars' is enabled, a remote attacker could embed malicious script in the 'Link to off-site Avatar' field which, once the script is viewed, would be executed in the victim's Web browser within the security context of the hosting site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | ||||||
| CVSS v3 Severity: | 3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||
| CVSS v2 Severity: | 2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.4 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:UR)
| ||||||
| Vulnerability Consequences: | Gain Access | ||||||
| References: | Source: CCN Type: SA15829 PHP-Nuke "off-site Avatar" Script Insertion Vulnerability Source: CCN Type: OSVDB ID: 17582 PHP-Nuke off-site Avatar Arbitrary Script Insertion Source: CCN Type: PHP-Nuke Web site PHP-Nuke Source: CCN Type: BID-14056 PHP-Nuke Avatar HTML Injection Vulnerability Source: XF Type: UNKNOWN phpnuke-offsiteavatar-script-injection(21148) | ||||||
| Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||
| BACK | |||||||