Aggregates CVE and security vulnerability intelligence across all Xoops-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk sql injection, vendor risk cross-site scripting, vendor risk path handling, and vendor risk open redirect and related problems; some flaws may lead to vendor impact data exposure.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2008-6884 | Multiple directory traversal vulnerabilities in XOOPS 2.3.1, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the xoopsConfig[language] parameter to (1) blocks.php and (2) main.php in xoops_lib/modules/protector/. | [email protected] | 6.8 | 5.62% | 2009-07-31 | 2026-06-16 |
| CVE-2008-5665 | SQL injection vulnerability in index.php in the xhresim module in XOOPS allows remote attackers to execute arbitrary SQL commands via the no parameter. | [email protected] | 7.5 | 0.97% | 2008-12-18 | 2026-06-16 |
| CVE-2008-4653 | SQL injection vulnerability in makale.php in Makale 0.26 and possibly other versions, a module for XOOPS, allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: some of these details are obtained from third party information. | [email protected] | 7.5 | 1.00% | 2008-10-21 | 2026-06-16 |
| CVE-2008-3560 | Cross-site scripting (XSS) vulnerability in kshop_search.php in the Kshop module 2.22 for Xoops allows remote attackers to inject arbitrary web script or HTML via the search parameter. | [email protected] | 4.3 | 1.44% | 2008-08-08 | 2026-06-16 |
| CVE-2008-3296 | Directory traversal vulnerability in modules/system/admin.php in XOOPS 2.0.18 1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | [email protected] | 7.5 | 5.71% | 2008-07-25 | 2026-06-16 |
| CVE-2008-3295 | Cross-site scripting (XSS) vulnerability in modules/system/admin.php in XOOPS 2.0.18.1 allows remote attackers to inject arbitrary web script or HTML via the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | [email protected] | 4.3 | 2.74% | 2008-07-25 | 2026-06-16 |
| CVE-2008-2094 | SQL injection vulnerability in article.php in the Article module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter. | [email protected] | 7.5 | 0.98% | 2008-05-06 | 2026-06-16 |
| CVE-2008-2035 | Cross-site scripting (XSS) vulnerability in the Bluemoon, Inc. (1) BackPack 0.91 and earlier, (2) BmSurvey 0.84 and earlier, (3) newbb_fileup 1.83 and earlier, (4) News_embed (news_fileup) 1.44 and earlier, and (5) PopnupBlog 3.19 and earlier modules for XOOPS 2.0.x, XOOPS Cube 2.1, and ImpressCMS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | [email protected] | 4.3 | 1.06% | 2008-04-30 | 2026-06-16 |
| CVE-2008-1351 | SQL injection vulnerability in the Tutorials 2.1b module for XOOPS allows remote attackers to execute arbitrary SQL commands via the tid parameter to printpage.php, which is accessible directly or through a printpage action to index.php. | [email protected] | 7.5 | 1.00% | 2008-03-17 | 2026-06-16 |
| CVE-2008-1065 | Multiple SQL injection vulnerabilities in index.php in the XM-Memberstats (xmmemberstats) 2.0e module for XOOPS allow remote attackers to execute arbitrary SQL commands via the (1) letter or (2) sortby parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | [email protected] | 7.5 | 1.12% | 2008-02-28 | 2026-06-16 |
| CVE-2008-1064 | Cross-site scripting (XSS) vulnerability in images.php in the Red Mexico RMSOFT Gallery System (GS) 2.0 module (aka rmgs) for XOOPS allows remote attackers to inject arbitrary web script or HTML via the q parameter. | [email protected] | 4.3 | 1.30% | 2008-02-28 | 2026-06-16 |
| CVE-2008-1063 | Cross-site scripting (XSS) vulnerability index.php in the XM-Memberstats (xmmemberstats) module for XOOPS allows remote attackers to inject arbitrary web script or HTML via the sortby parameter. | [email protected] | 4.3 | 0.87% | 2008-02-28 | 2026-06-16 |
| CVE-2008-0937 | SQL injection vulnerability in index.php in the Tiny Event (tinyevent) 1.01 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter in a print action, a different vector than CVE-2007-1811. | [email protected] | 6.8 | 0.87% | 2008-02-25 | 2026-06-16 |
| CVE-2008-0936 | SQL injection vulnerability in index.php in the Prayer List (prayerlist) 1.04 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action. | [email protected] | 7.5 | 0.96% | 2008-02-25 | 2026-06-16 |
| CVE-2008-0874 | SQL injection vulnerability in index.php in the eEmpregos module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action. | [email protected] | 7.5 | 1.01% | 2008-02-21 | 2026-06-16 |
| CVE-2008-0847 | SQL injection vulnerability in print.php in the myTopics module for XOOPS allows remote attackers to execute arbitrary SQL commands via the articleid parameter. | [email protected] | 7.5 | 1.01% | 2008-02-20 | 2026-06-16 |
| CVE-2008-0613 | Open redirect vulnerability in htdocs/user.php in XOOPS 2.0.18 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the xoops_redirect parameter. | [email protected] | 5.0 | 2.04% | 2008-02-06 | 2026-06-16 |
| CVE-2008-0612 | Directory traversal vulnerability in htdocs/install/index.php in XOOPS 2.0.18 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter. | [email protected] | 7.5 | 2.78% | 2008-02-06 | 2026-06-16 |
| CVE-2008-0611 | SQL injection vulnerability in rmgs/images.php in the RMSOFT Gallery System 2.0 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter. | [email protected] | 7.5 | 0.93% | 2008-02-06 | 2026-06-16 |
| CVE-2008-0138 | PHP remote file inclusion vulnerability in xoopsgallery/init_basic.php in the mod_gallery module for XOOPS, when register_globals is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter. | [email protected] | 6.8 | 4.78% | 2008-01-08 | 2026-06-16 |