CVE-2007-5072

Alexander Palmo Simple Php Blog < 0.5.0.1 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in Simple PHP Blog (SPHPBlog) before 0.5.1, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via certain user_colors array parameters to certain user_style.php files under themes/, as demonstrated by the user_colors[bg_color] parameter.

References (7)

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/36783

[Various Sources] http://www.simplephpblog.com/comments.php?y=07&m=09&entry=entry070923-004446

[Various Sources] http://www.simplephpblog.com/index.php?m=09&y=07

[Vendor Advisory] http://www.securenetwork.it/ricerca/advisory/download/SN-2007-03.txt

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/480569/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/25802

[Third Party Advisory] http://secunia.com/advisories/26968

Scores

EPSS 0.0051

EPSS Percentile 66.0%

Classification

CWE

CWE-79

Status draft

Affected Products (1)

alexander_palmo/simple_php_blog < 0.5.0.1

Timeline

Published Sep 24, 2007

Tracked Since Feb 18, 2026