Description
Interpretation conflict in includes/mainfile.php in PHP-Nuke 7.9 and later allows remote attackers to perform cross-site scripting (XSS) attacks by replacing the ">" in the tag with a "<", which bypasses the regular expressions that sanitize the data, but is automatically corrected by many web browsers. NOTE: it could be argued that this vulnerability is due to a design limitation of many web browsers; if so, then this should not be treated as a vulnerability in PHP-Nuke.
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by Maksymilian Arciemowicz · textwebappsphp
https://www.exploit-db.com/exploits/26817
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/419496/100/0/threaded
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/419991/100/0/threaded
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/15855
Scores
EPSS
0.0002
EPSS Percentile
6.7%
Details
Status
published
Products (8)
francisco_burzi/php-nuke
7.0
francisco_burzi/php-nuke
7.1
francisco_burzi/php-nuke
7.2
francisco_burzi/php-nuke
7.3
francisco_burzi/php-nuke
7.6
francisco_burzi/php-nuke
7.7
francisco_burzi/php-nuke
7.8
francisco_burzi/php-nuke
7.9
Published
Dec 15, 2005
Tracked Since
Feb 18, 2026