Discuz : Security Vulnerabilities, CVEs,
Cross site scripting (XSS) vulnerability in DiscuzX 3.4 allows attackers to execute arbitrary code via the datetline, title, tpp, or username parameters via the audit search.
Max CVSS
6.1
EPSS Score
0.07%
Published
2023-02-15
Updated
2023-02-23
A vulnerability was found in DiscuzX up to 3.4-20200818. It has been classified as problematic. Affected is the function show_next_step of the file upload/install/include/install_function.php. The manipulation of the argument uchidden leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 3.4-20210119 is able to address this issue. The name of the patch is 4a9673624f46f7609486778ded9653733020c567. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-258612.
Max CVSS
4.0
EPSS Score
0.05%
Published
2024-03-31
Updated
2024-04-11
Discuz! DiscuzX through X3.4 has reflected XSS via forum.php?mod=post&action=newthread because data/template/1_diy_portal_view.tpl.php does not restrict the content.
Max CVSS
5.4
EPSS Score
0.06%
Published
2018-04-22
Updated
2018-05-18
Discuz! DiscuzX through X3.4 has stored XSS via the portal.php?mod=portalcp&ac=article URI, related to mishandling of IMG elements associated with remote images.
Max CVSS
5.4
EPSS Score
0.06%
Published
2018-04-22
Updated
2018-05-18
Discuz! DiscuzX X3.4 allows remote attackers to bypass intended access restrictions via the archiver\index.php action parameter.
Max CVSS
9.8
EPSS Score
0.26%
Published
2018-01-12
Updated
2019-10-03
Discuz! DiscuzX X3.4 has XSS via the include\spacecp\spacecp_upload.php op parameter.
Max CVSS
6.1
EPSS Score
0.08%
Published
2018-01-12
Updated
2020-01-29
Discuz! DiscuzX X3.4 has XSS via the include\spacecp\spacecp_space.php appid parameter in a delete action.
Max CVSS
6.1
EPSS Score
0.08%
Published
2018-01-12
Updated
2018-01-24
Discuz! DiscuzX X3.4 has XSS via the view parameter to include/space/space_poll.php, as demonstrated by a mod=space do=poll request to home.php.
Max CVSS
5.4
EPSS Score
0.08%
Published
2018-01-10
Updated
2018-01-29
Discuz! DiscuzX X3.4 allows remote authenticated users to bypass intended attachment-deletion restrictions via a modified aid parameter.
Max CVSS
8.8
EPSS Score
0.18%
Published
2018-01-08
Updated
2019-10-03
SQL injection vulnerability in shop.php in UCenter Home 2.0 allows remote attackers to execute arbitrary SQL commands via the shopid parameter in a view action.
Max CVSS
7.5
EPSS Score
0.06%
Published
2011-10-08
Updated
2017-08-29
member.php in Crossday Discuz! Board allows remote attackers to reset passwords of arbitrary users via crafted (1) lostpasswd and (2) getpasswd actions, possibly involving predictable generation of the id parameter.
Max CVSS
7.5
EPSS Score
9.54%
Published
2009-08-12
Updated
2017-09-29
SQL injection vulnerability in admincp.php in Discuz! GBK 5.0.0 allows remote attackers to execute arbitrary SQL commands via the cdb_auth cookie.
Max CVSS
7.5
EPSS Score
0.23%
Published
2006-10-27
Updated
2017-10-19
12 vulnerabilities found