The custom avatar uploading feature (uploader.php) for XOOPS 2.0.9.2 and earlier allows remote attackers to upload arbitrary PHP scripts, whose file extensions are not filtered.
Software | From | Fixed in |
---|---|---|
xoops / xoops | 1.0_rc1 | 1.0_rc1.x |
xoops / xoops | 1.0_rc3 | 1.0_rc3.x |
xoops / xoops | 1.0_rc3.0.5 | 1.0_rc3.0.5.x |
xoops / xoops | 1.3.10 | 1.3.10.x |
xoops / xoops | 1.3.5 | 1.3.5.x |
xoops / xoops | 1.3.6 | 1.3.6.x |
xoops / xoops | 1.3.7 | 1.3.7.x |
xoops / xoops | 1.3.8 | 1.3.8.x |
xoops / xoops | 1.3.9 | 1.3.9.x |
xoops / xoops | 2.0 | 2.0.x |
xoops / xoops | 2.0.1 | 2.0.1.x |
xoops / xoops | 2.0.2 | 2.0.2.x |
xoops / xoops | 2.0.3 | 2.0.3.x |
xoops / xoops | 2.0.5 | 2.0.5.x |
xoops / xoops | 2.0.5.1 | 2.0.5.1.x |
xoops / xoops | 2.0.5.2 | 2.0.5.2.x |
xoops / xoops | 2.0.9.2 | 2.0.9.2.x |