Description
Validate-Before-Canonicalize vulnerability in the checkURI function in functions.inc.php in PHPX 3.0 through 3.2.6 allows remote attackers to conduct cross-site scripting (XSS) attacks via hex-encoded tags, which bypass the check for literal "<", ">", "(", and ")" characters, as demonstrated using the limit parameter to forums.php and a variety of other vectors.
Exploits (1)
References (4)
Core 4
Core References
Patch, URL Repurposed x_refsource_misc
http://www.phpx.org/project.php?action=view&project_id=1
Exploit, Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/10283
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16065
Exploit, Vendor Advisory mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/362230
Scores
EPSS
0.0065
EPSS Percentile
70.8%
Details
Status
published
Products (20)
phpx/phpx
3.0.0
phpx/phpx
3.0.1
phpx/phpx
3.0.2
phpx/phpx
3.0.3
phpx/phpx
3.0.4
phpx/phpx
3.0.5
phpx/phpx
3.0.6
phpx/phpx
3.0.7
phpx/phpx
3.1.0
phpx/phpx
3.1.1
... and 10 more
Published
Dec 31, 2004
Tracked Since
Feb 18, 2026