https://www.exploit-db.com/exploits/21829
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-427

Xoops1.0RC3存在跨站脚本攻击（XSS）漏洞。远程攻击者可以在递交消息时，借助一个IMG标签上的Javascript注入任意web脚本或HTML。

source: http://www.securityfocus.com/bid/5785/info

Problems with XOOPS could make it possible to execute arbitrary script code in a vulnerable client.

XOOPS does not sufficiently filter potentially malicious HTML code from posted messages. As a result, when a user views a message posting that contains malicious HTML code, the code contained in the message would be executed in the browser of the vulnerable user. This will occur in the context of the site running the XOOPS software.


<IMG SRC="javascript:[javascript]">

来源:BID
名称:5785
链接:http://www.securityfocus.com/bid/5785
来源:XF
名称:cms-news-image-xss(10173)
链接:http://www.iss.net/security_center/static/10173.php
来源:BUGTRAQ
名称:20020924XoopsRC3scriptinjectionvulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2002-09/0286.html