A cross-site scripting vulnerability exists in Citadel versions prior to 994. When a malicious user sends an instant message with some JavaScript code, the script may be executed on the web browser of the victim user.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-10-04
Updated
2023-10-10
modules/xmpp/serv_xmpp.c in Citadel 7.86 and earlier does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Max CVSS
5.0
EPSS Score
3.40%
Published
2011-06-21
Updated
2011-10-26
2 vulnerabilities found