Login Sign Up

CVE-2023-36217

9.0 CRITICAL
Cross-Site Scripting

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in Xoops CMS allows remote attackers to inject malicious scripts via the category name field in the image manager. When exploited, this can lead to session hijacking, credential theft, or redirection to malicious sites. All Xoops CMS installations running vulnerable versions with the image manager enabled are affected.

💻 Affected Systems

Products:
  • Xoops CMS
Versions: v2.5.10 and earlier versions
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the image manager module to be enabled and accessible to users with appropriate permissions.

📦 What is this software?

Xoops by Xoops

View all CVEs affecting Xoops →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of admin accounts leading to website defacement, data theft, or installation of backdoors for persistent access.

🟠

Likely Case

Session hijacking of authenticated users, credential theft via phishing, or redirection to malicious websites.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction or access to the image manager with appropriate permissions. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.5.11 or later

Vendor Advisory: https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.11

Restart Required: No

Instructions:

1. Backup your Xoops installation and database. 2. Download Xoops v2.5.11 or later from the official repository. 3. Replace the vulnerable files with patched versions. 4. Clear cache and verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize category name field inputs.

Modify /modules/images/admin/category.php to add input sanitization

Disable Image Manager

all

Temporarily disable the vulnerable image manager module.

Navigate to System Admin > Modules > Images > Deactivate

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block XSS payloads in category name fields.
  • Apply Content Security Policy (CSP) headers to restrict script execution sources.

🔍 How to Verify

Check if Vulnerable:

Check if Xoops version is 2.5.10 or earlier and image manager is enabled.

Check Version:

Check /include/version.php or admin panel System Info

Verify Fix Applied:

Verify installation shows version 2.5.11 or later in admin panel and test category name field with XSS payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to image manager with script tags in parameters
  • Multiple failed login attempts following image manager access

Network Indicators:

  • HTTP requests containing <script> tags in category name parameters
  • Outbound connections to suspicious domains after image manager access

SIEM Query:

source="web_server" AND (uri_path="/modules/images/admin/category.php" AND (param="name" CONTAINS "<script>" OR param="name" CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2023-36217
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: August 3, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36217, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)