Description
Multiple cross-site scripting vulnerabilities (XSS) in MaxWebPortal allow remote attackers to execute arbitrary web script as other users via (1) the sub_name parameter of dl_showall.asp, (2) the SendTo parameter in Personal Messages, (3) the HTTP_REFERER for down.asp, or (4) the image name of an Avatar in the register form.
Exploits (2)
exploitdb
WORKING POC
VERIFIED
by Manuel Lopez · textwebappsasp
https://www.exploit-db.com/exploits/23677
exploitdb
WRITEUP
VERIFIED
by Manuel Lopez · textwebappsasp
https://www.exploit-db.com/exploits/23676
References (4)
Core 4
Core References
Mailing List mailing-list
x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=107643014606515&w=2
Exploit, Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/9625
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/15122
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/15120
Scores
EPSS
0.0427
EPSS Percentile
88.9%
Details
Status
published
Products (2)
maxwebportal/maxwebportal
1.30
maxwebportal/maxwebportal
1.31
Published
Nov 23, 2004
Tracked Since
Feb 18, 2026