XOOPS Arbitrary Avatar File Upload

High Nessus Network Monitor Plugin ID 2683

Synopsis

The remote host may be tricked into running an executable file.

Description

The remote host is running XOOPS, a web-portal software written in PHP. This version of XOOPS is vulnerable to a flaw where remote attackers can upload arbitrary executable code and then execute the code via a web request. An attacker exploiting this flaw would be able to execute arbitrary code within the context of the web server.

Solution

Upgrade or patch according to vendor recommendations.

See Also

http://www.xoops.org

Plugin Details

Severity: High

ID: 2683

Family: CGI

Published: 2005/03/08

Modified: 2016/02/05

Dependencies: 1442

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:H/RL:OF/RC:ND

CVSSv3

Base Score: 7.3

Temporal Score: 6.9

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:H/RL:O/RC:X

Reference Information

CVE: CVE-2005-0743

BID: 12754