Sign-up

ID

VAR-200312-0367


CVE

CVE-2003-1400


TITLE

PHP-Nuke Avatar HTML Injection Vulnerability

Trust: 0.9

sources: BID: 6750 // CNNVD: CNNVD-200312-436

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the Your_Account module for PHP-Nuke 5.0 through 6.0 allows remote attackers to inject arbitrary web script or HTML via the user_avatar parameter. A problem with PHP-Nuke could allow remote users to execute arbitrary code in the context of the web site. The problem is in the lack of sanitization of some types of input. PHP-Nuke does not sanitize code submitted to a site from the avatar select box. Due to this, a malicious user may be able to submit embedded code from their profile page instead of an avatar. This would result in code being executed in the location where a user's avatar should normally display. This code would be executed by a victim user's browser in the context of the site

Trust: 1.26

sources: NVD: CVE-2003-1400 // BID: 6750 // VULHUB: VHN-8225

AFFECTED PRODUCTS

vendor:francisco burzimodel:php-nukescope:eqversion:5.2

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:5.1

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:6.0

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:5.0

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:5.6

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:5.0.1

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:5.4

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:5.3.1

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:5.2a

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:5.5

Trust: 1.6

vendor:franciscomodel:burzi php-nukescope:eqversion:6.0

Trust: 0.3

vendor:franciscomodel:burzi php-nukescope:eqversion:5.6

Trust: 0.3

vendor:franciscomodel:burzi php-nukescope:eqversion:5.5

Trust: 0.3

vendor:franciscomodel:burzi php-nukescope:eqversion:5.4

Trust: 0.3

vendor:franciscomodel:burzi php-nukescope:eqversion:5.3.1

Trust: 0.3

vendor:franciscomodel:burzi php-nuke ascope:eqversion:5.2

Trust: 0.3

vendor:franciscomodel:burzi php-nukescope:eqversion:5.2

Trust: 0.3

vendor:franciscomodel:burzi php-nukescope:eqversion:5.1

Trust: 0.3

vendor:franciscomodel:burzi php-nukescope:eqversion:5.0.1

Trust: 0.3

vendor:franciscomodel:burzi php-nukescope:eqversion:5.0

Trust: 0.3

sources: BID: 6750 // CNNVD: CNNVD-200312-436 // NVD: CVE-2003-1400

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2003-1400
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-200312-436
value: MEDIUM

Trust: 0.6

VULHUB: VHN-8225
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2003-1400
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-8225
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-8225 // CNNVD: CNNVD-200312-436 // NVD: CVE-2003-1400

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

sources: VULHUB: VHN-8225 // NVD: CVE-2003-1400

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200312-436

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-200312-436

EXPLOIT AVAILABILITY

sources:
            
            
            VULHUB: VHN-8225

EXTERNAL IDS
db:BIDid:6750
Trust: 2.0
db:NVDid:CVE-2003-1400
Trust: 1.7
db:CNNVDid:CNNVD-200312-436
Trust: 0.7
db:BUGTRAQid:20030203 PHP-NUKE AVATAR CODE INJECTION VULNERABILITY
Trust: 0.6
db:BUGTRAQid:20030204 RE: PHP-NUKE AVATAR CODE INJECTION VULNERABILITY
Trust: 0.6
db:XFid:11229
Trust: 0.6
db:SEEBUGid:SSVID-76021
Trust: 0.1
db:EXPLOIT-DBid:22211
Trust: 0.1
db:VULHUBid:VHN-8225
Trust: 0.1
sources:
            
            
            VULHUB: VHN-8225 // 
            
            
            
            BID: 6750 // 
            
            
            
            CNNVD: CNNVD-200312-436 // 
            
            
            
            NVD: CVE-2003-1400

REFERENCES
url:http://www.securityfocus.com/bid/6750
Trust: 1.7
url:http://www.securityfocus.com/archive/1/309959
Trust: 1.7
url:http://www.securityfocus.com/archive/1/310115
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/11229
Trust: 1.1
url:http://xforce.iss.net/xforce/xfdb/11229
Trust: 0.6
url:http://www.ncc.org.ve/php-nuke.php3?op=english
Trust: 0.3
url:/archive/1/310115
Trust: 0.3
url:/archive/1/309959
Trust: 0.3
sources:
            
            
            VULHUB: VHN-8225 // 
            
            
            
            BID: 6750 // 
            
            
            
            CNNVD: CNNVD-200312-436 // 
            
            
            
            NVD: CVE-2003-1400

CREDITS
Vulnerability discovery credited to "delusion" <delusi0n@bellsouth.net>.
Trust: 0.9
sources:
            
            
            BID: 6750 // 
            
            
            
            CNNVD: CNNVD-200312-436

SOURCES
db:VULHUBid:VHN-8225
db:BIDid:6750
db:CNNVDid:CNNVD-200312-436
db:NVDid:CVE-2003-1400

LAST UPDATE DATE
2024-08-14T14:59:26.370000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-8225date:2017-07-29T00:00:00
db:BIDid:6750date:2003-02-03T00:00:00
db:CNNVDid:CNNVD-200312-436date:2003-12-31T00:00:00
db:NVDid:CVE-2003-1400date:2017-07-29T01:29:09.747

SOURCES RELEASE DATE
db:VULHUBid:VHN-8225date:2003-12-31T00:00:00
db:BIDid:6750date:2003-02-03T00:00:00
db:CNNVDid:CNNVD-200312-436date:2003-12-31T00:00:00
db:NVDid:CVE-2003-1400date:2003-12-31T05:00:00