Description
Cross-site scripting (XSS) vulnerability in PHP-Nuke 5.3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) uname parameter in user.php, (2) ttitle, letter and file parameters in modules.php, (3) subject, story and storyext parameters in submit.php, (4) upload parameter in admin.php and (5) fname parameter in friend.php.
Exploits (2)
exploitdb
WRITEUP
VERIFIED
by Cabezon Aurélien · textwebappsphp
https://www.exploit-db.com/exploits/21165
exploitdb
WRITEUP
VERIFIED
by Cabezon Aurélien · textwebappsphp
https://www.exploit-db.com/exploits/21166
References (7)
Core 7
Core References
Third Party Advisory vdb-entry
x_refsource_xf
http://www.iss.net/security_center/static/7654.php
Patch x_refsource_confirm
http://prdownloads.sourceforge.net/phpnuke/PHP-Nuke-5.5.tar.gz
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://online.securityfocus.com/archive/1/245691
Third Party Advisory, VDB Entry mailing-list
x_refsource_vuln-dev
http://online.securityfocus.com/archive/82/246603
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://online.securityfocus.com/archive/1/245875
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://online.securityfocus.com/archive/82/243545
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/3609
Scores
EPSS
0.0011
EPSS Percentile
28.2%
Details
Status
published
Products (11)
francisco_burzi/php-nuke
3.0
francisco_burzi/php-nuke
4.0
francisco_burzi/php-nuke
4.3
francisco_burzi/php-nuke
4.4
francisco_burzi/php-nuke
4.4.1a
francisco_burzi/php-nuke
5.0
francisco_burzi/php-nuke
5.0.1
francisco_burzi/php-nuke
5.1
francisco_burzi/php-nuke
5.2
francisco_burzi/php-nuke
5.2a
... and 1 more
Published
Dec 31, 2001
Tracked Since
Feb 18, 2026