CVE-2004-2294

PHP-Nuke 6.0-7.3 - Stored Cross-Site Scripting via Reviews Module Text Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-2294. PoCs published by Janek Vind.

AI-analyzed exploit summary The provided text describes multiple vulnerabilities in PHP-Nuke, including XSS, SQL injection, and DoS, with example URLs demonstrating the issues. It does not contain executable exploit code but serves as a technical writeup.

Description

Canonicalize-before-filter error in the send_review function in the Reviews module for PHP-Nuke 6.0 to 7.3 allows remote attackers to inject arbitrary web script or HTML via hex-encoded XSS sequences in the text parameter, which is checked for dangerous sequences before it is canonicalized, leading to a cross-site scripting (XSS) vulnerability.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Janek Vind · textwebappsphp
https://www.exploit-db.com/exploits/24194

The provided text describes multiple vulnerabilities in PHP-Nuke, including XSS, SQL injection, and DoS, with example URLs demonstrating the issues. It does not contain executable exploit code but serves as a technical writeup.

Classification
Writeup 90%
Attack Type
Xss | Sqli | Dos
Complexity
Trivial
Reliability
Theoretical
Target: PHP-Nuke 7.2, 7.3
No auth needed
Prerequisites: Access to the vulnerable PHP-Nuke instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit vdb-entry x_refsource_osvdb
http://www.osvdb.org/6999
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/11852
Exploit mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/365865
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10524

Scores

EPSS 0.0174
EPSS Percentile 74.7%

Details

Status published
Products (15)
francisco_burzi/php-nuke 6.0
francisco_burzi/php-nuke 6.5
francisco_burzi/php-nuke 6.5_beta1
francisco_burzi/php-nuke 6.5_final
francisco_burzi/php-nuke 6.5_rc1
francisco_burzi/php-nuke 6.5_rc2
francisco_burzi/php-nuke 6.5_rc3
francisco_burzi/php-nuke 6.6
francisco_burzi/php-nuke 6.7
francisco_burzi/php-nuke 6.9
... and 5 more
Published Dec 31, 2004
Tracked Since Feb 18, 2026