免费扫描
LOWCVE-2019-25093CVSS 2.4

dragonexpert Recent Threads on Index Setting hooks.php recentthread_list_threads cross site scripting

翻译中…

平台

php

组件

recentthreads

AI Confidence: highNVDEPSS 0.3%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2019-25093 describes a problematic cross-site scripting (XSS) vulnerability discovered in the Recent Threads on Index component of Dragonexpert. This vulnerability allows attackers to inject malicious scripts through manipulation of the recentthread_forumskip argument. The vulnerability affects versions prior to patch 051465d807a8fcc6a8b0f4bcbb19299672399f48, and a patch is available to resolve the issue.

影响与攻击场景翻译中…

Successful exploitation of CVE-2019-25093 allows an attacker to inject arbitrary JavaScript code into the web page viewed by other users. This can lead to various malicious actions, including session hijacking, defacement of the website, and redirection to phishing sites. The attacker could potentially steal sensitive user data, such as cookies and authentication tokens, or compromise the entire system if the user has elevated privileges. The impact is particularly severe if the affected component is used in a high-traffic area of the website, as a single successful injection could affect a large number of users.

利用背景翻译中…

CVE-2019-25093 was disclosed in 2019 and published to the NVD on January 2, 2023. There are no known active campaigns targeting this specific vulnerability. Public proof-of-concept exploits are not widely available, suggesting a relatively low exploitation probability. The vulnerability's CVSS score of 2.4 (LOW) further supports this assessment.

哪些人处于风险中翻译中…

Websites utilizing the Dragonexpert Recent Threads on Index plugin and running versions prior to the patched version are at risk. Shared hosting environments where multiple websites share the same server and plugin installation are particularly vulnerable, as a compromise of one website could potentially affect others.

检测步骤翻译中…

• php / web:

grep -r 'recentthread_forumskip' /var/www/html/inc/plugins/recentthreads/hooks.php

• generic web:

curl -I http://your-website.com/inc/plugins/recentthreads/hooks.php?recentthread_forumskip=<script>alert(1)</script>

攻击时间线

  1. Discovery

    discovery

  2. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.34% (56% 百分位)

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N2.4LOWAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredHigh攻击所需的认证级别User InteractionRequired是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityNone敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
高 — 需要管理员或特权账户。
User Interaction
需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
无 — 无机密性影响。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
无 — 无可用性影响。

受影响的软件

组件recentthreads
供应商dragonexpert
影响范围修复版本
n/a – n/a

弱点分类 (CWE)

CWE-79

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期
未修复 — 披露已1238天

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2019-25093 is to apply the provided patch: 051465d807a8fcc6a8b0f4bcbb19299672399f48. Before applying the patch, it's recommended to back up the inc/plugins/recentthreads/hooks.php file. If applying the patch directly is not feasible, consider implementing input validation and sanitization on the recentthreadforumskip parameter to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. After applying the patch, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload through the recentthreadforumskip parameter and verifying that it is not executed.

修复方法翻译中…

Actualice el plugin Recent Threads on Index a la última versión disponible. La vulnerabilidad ha sido parcheada en la versión posterior al commit 051465d807a8fcc6a8b0f4bcbb19299672399f48. Consulte el registro de cambios del plugin para obtener más detalles sobre la actualización.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2019-25093 — XSS in Dragonexpert Recent Threads on Index?

CVE-2019-25093 is a cross-site scripting (XSS) vulnerability in the Dragonexpert Recent Threads on Index plugin, allowing attackers to inject malicious scripts via the recentthread_forumskip parameter.

Am I affected by CVE-2019-25093 in Dragonexpert Recent Threads on Index?

You are affected if you are using Dragonexpert Recent Threads on Index prior to version 051465d807a8fcc6a8b0f4bcbb19299672399f48.

How do I fix CVE-2019-25093 in Dragonexpert Recent Threads on Index?

Apply the patch 051465d807a8fcc6a8b0f4bcbb19299672399f48. Back up the hooks.php file before applying.

Is CVE-2019-25093 being actively exploited?

There are no known active campaigns targeting CVE-2019-25093 at this time, but it remains a potential risk.

Where can I find the official Dragonexpert advisory for CVE-2019-25093?

Refer to the VDB entry (VDB-217182) for more information and potential links to the Dragonexpert advisory.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE