Multiple vulnerabilities have been discovered in Xoops, which can be exploited by malicious people to conduct cross-site scripting attacks.
1) Input passed to the "module" parameter (when "fct" is set to "modulesadmin" and "op" is set to "install") in modules/system/admin.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) Input passed to the "newname[]" and "oldname[]" POST parameters (when "fct" is set to "modulesadmin" and "op" is set to "confirm") in modules/system/admin.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
3) Input passed to the "memberslist_id[]" POST parameter (when "fct" is set to "mailusers") in modules/system/admin.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
4) Input passed to the "module[]" POST parameter (when "fct" is set to "modulesadmin" and "op" is set to "confirm") in modules/system/admin.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerabilities are confirmed in version 2.5.0. Other versions may also be affected.
Vulnerable Products
Vulnerable Software: Xoops 2.x
Solution
Update to version 2.5.3, which fixes vulnerabilities #1 and #2. Edit the source code to ensure that input is properly sanitised.
