Aggregates CVE and security vulnerability intelligence across all Xoops-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk sql injection, vendor risk cross-site scripting, vendor risk path handling, and vendor risk open redirect and related problems; some flaws may lead to vendor impact data exposure.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2007-6675 | The b_system_comments_show function in htdocs/modules/system/blocks/system_blocks.php in XOOPS before 2.0.18 does not check permissions, which allows remote attackers to read the comments in restricted modules. | [email protected] | 5.0 | 1.23% | 2008-01-08 | 2026-06-16 |
| CVE-2007-5978 | SQL injection vulnerability in brokenlink.php in the mylinks module for XOOPS allows remote attackers to execute arbitrary SQL commands via the lid parameter. | [email protected] | 7.5 | 0.99% | 2007-11-14 | 2026-06-16 |
| CVE-2007-5188 | Unspecified vulnerability in the XOOPS uploader class in Xoops 2.0.17.1-RC1 and earlier allows remote attackers to upload arbitrary files via unspecified vectors related to improper upload configuration settings in class/uploader.php and class/mimetypes.inc.php, possibly an incomplete blacklist that omits the .php4 extension. | [email protected] | 7.5 | 2.44% | 2007-10-03 | 2026-06-16 |
| CVE-2007-3311 | SQL injection vulnerability in print.php in the Articles 1.02 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter. | [email protected] | 7.5 | 1.04% | 2007-06-21 | 2026-06-16 |
| CVE-2007-3289 | PHP remote file inclusion vulnerability in spaw/spaw_control.class.php in the WiwiMod 0.4 module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter. NOTE: this issue is probably a duplicate of CVE-2006-4656. | [email protected] | 7.5 | 12.19% | 2007-06-20 | 2026-06-16 |
| CVE-2007-3237 | PHP remote file inclusion vulnerability in admin/spaw/spaw_control.class.php in the TinyContent 1.5 module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter. NOTE: this issue is probably a duplicate of CVE-2006-4656. | [email protected] | 6.8 | 67.66% | 2007-06-14 | 2026-06-16 |
| CVE-2007-3236 | PHP remote file inclusion vulnerability in footer.php in the Horoscope 1.0 module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the xoopsConfig[root_path] parameter. | [email protected] | 7.5 | 76.98% | 2007-06-14 | 2026-06-16 |
| CVE-2007-3222 | PHP remote file inclusion vulnerability in modify.php in the XFsection 1.07 module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the dir_module parameter. | [email protected] | 7.5 | 7.44% | 2007-06-14 | 2026-06-16 |
| CVE-2007-3221 | PHP remote file inclusion vulnerability in admin/spaw/spaw_control.class.php in the XT-Conteudo module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter. NOTE: this issue is probably a duplicate of CVE-2006-4656. | [email protected] | 6.8 | 67.81% | 2007-06-14 | 2026-06-16 |
| CVE-2007-3220 | PHP remote file inclusion vulnerability in admin/editor2/spaw_control.class.php in the Cjay Content 3 module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter. NOTE: this may be a duplicate of CVE-2006-4656. | [email protected] | 6.8 | 62.75% | 2007-06-14 | 2026-06-16 |
| CVE-2007-3057 | PHP remote file inclusion vulnerability in include/wysiwyg/spaw_control.class.php in the icontent 4.5 module for XOOPS allows remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter. NOTE: this issue is probably a duplicate of CVE-2006-4656. | [email protected] | 6.8 | 68.67% | 2007-06-05 | 2026-06-16 |
| CVE-2007-2738 | SQL injection vulnerability in glossaire-p-f.php in the Glossaire 1.7 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the sid parameter in an ImprDef action. | [email protected] | 7.5 | 1.05% | 2007-05-17 | 2026-06-16 |
| CVE-2007-2737 | SQL injection vulnerability in index.php in the MyConference 1.0 module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | [email protected] | 7.5 | 0.93% | 2007-05-17 | 2026-06-16 |
| CVE-2007-2571 | SQL injection vulnerability in index.php in the wfquotes 1.0 0 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the c parameter in a cat action. | [email protected] | 7.5 | 1.00% | 2007-05-09 | 2026-06-16 |
| CVE-2007-2543 | SQL injection vulnerability in game.php in the Flashgames 1.0.1 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the lid parameter. | [email protected] | 7.5 | 1.20% | 2007-05-08 | 2026-06-16 |
| CVE-2007-2370 | SQL injection vulnerability in index.php in the John Mordo Jobs 2.4 and earlier module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a jobsview action. NOTE: the module name was originally reported as Job Listings. | [email protected] | 7.5 | 2.88% | 2007-04-30 | 2026-06-16 |
| CVE-2007-1979 | SQL injection vulnerability in index.php in the PopnupBlog 2.52 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the postid parameter, possibly involving the get_blogid_from_postid function in class/PopnupBlogUtils.php. NOTE: later versions such as 3.03 and 3.05 might also be affected. | [email protected] | 7.5 | 2.17% | 2007-04-11 | 2026-06-16 |
| CVE-2007-1976 | PHP remote file inclusion vulnerability in index.php in the Virii Info 1.10 and earlier module for Xoops allows remote attackers to execute arbitrary PHP code via a URL in the xoopsConfig[root_path] parameter. NOTE: the issue has been disputed by a reliable third party, stating that the application's checkSuperglobals function defends against the attack | [email protected] | 7.5 | 1.97% | 2007-04-11 | 2026-06-16 |
| CVE-2007-1974 | SQL injection vulnerability in the getArticle function in class/wfsarticle.php in WF-Section (aka WF-Sections) 1.0.1, as used in Xoops modules such as (1) Zmagazine 1.0, (2) Happy Linux XFsection 1.07 and earlier, and possibly other modules, allows remote attackers to execute arbitrary SQL commands via the articleid parameter to print.php. | [email protected] | 7.5 | 5.53% | 2007-04-11 | 2026-06-16 |
| CVE-2007-1962 | SQL injection vulnerability in index.php in the WF-Snippets 1.02 and earlier module for XOOPS allows remote attackers to execute arbitrary SQL commands via the c parameter in a cat action. | [email protected] | 7.5 | 1.04% | 2007-04-11 | 2026-06-16 |