XMB Forum Software - [Security < 1.9.10] CVE-2005-2574 - Powered by XMB 1.9.12 (Debug Mode)

[Security < 1.9.10] CVE-2005-2574

miqrogroove - 5-9-2021 at 05:54 PM

Bug Source: XMB 1.9.9 and older

Symptoms: Unexpected output, Javascript compromise (XSS)

Security Impact: High

ID: CVE-2005-2574

Fixed By: XMB 1.9.10 and later are not affected.

Discussion:

A variable overwrite exploit, reported to Bugtraq in 2005, was evaluated by XMB staff in 2008. This vulnerability had not been resolved and was more severe than originally described. Arguments to the 'extract' function were changed in 2008 and released with version 1.9.10 to prevent variable overwrites. These changes were also available in a service pack for version 1.9.8.

Recommendations:

Servers running PHP 7 or PHP 8
- If you installed XMB 1.8 through 1.9.9 - Upgrade to version 1.9.12.
Servers running PHP 5
- If you installed XMB 1.8 through 1.9.9 - Upgrade to version 1.9.11.
- Please consider updating your server with a new version of PHP.
Upgrade Instructions