XMB Forum Software - [Security < 1.9.10] CVE-2004-1862

[Security < 1.9.10] CVE-2004-1862

miqrogroove - 5-9-2021 at 04:41 PM

Bug Source: XMB 1.9.9 and older

Symptoms: Unexpected output, Javascript compromise (XSS)

Security Impact: High

ID: CVE-2004-1862

Fixed By: XMB 1.9.10 and later are not affected.

Discussion:

Multiple exploits reported to Bugtraq in 2004 were evaluated by XMB staff in 2008. Of primary concern, the reported "XSS in post.php" had not been resolved and was still valid for one or more defects. The post.php file was reorganized in 2008 and released with version 1.9.10 to implement better I/O filtering. There were no hotfixes for old versions because the necessary changes were incompatible with existing customizations.

Recommendations:

Servers running PHP 7 or PHP 8
- If you installed XMB 1.8 through 1.9.9 - Upgrade to version 1.9.12.
Servers running PHP 5
- If you installed XMB 1.8 through 1.9.9 - Upgrade to version 1.9.11.
- Please consider updating your server with a new version of PHP.
Upgrade Instructions