CVE-2002-2350 in Zorum
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in z_user_show.php in dbtreelistproperty_method.php in Zorum 2.4 allows remote attackers to inject arbitrary web script or HTML via the class parameter.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/28/2025
The vulnerability described in CVE-2002-2350 represents a classic cross-site scripting flaw within the Zorum 2.4 web application framework, specifically manifesting in the z_user_show.php script that utilizes dbtreelistproperty_method.php functionality. This issue resides in the handling of user-provided input through the class parameter, creating an exploitable condition where malicious actors can inject arbitrary web scripts or HTML code into the application's response. The vulnerability occurs at the point where user-supplied data is directly incorporated into dynamically generated web content without proper sanitization or output encoding mechanisms.
The technical exploitation of this vulnerability follows the standard XSS attack pattern where an attacker crafts malicious input containing script tags or other HTML elements that get executed in the context of other users' browsers. When the vulnerable z_user_show.php script processes the class parameter from the dbtreelistproperty_method.php component, it fails to validate or sanitize the input before rendering it within the web page output. This allows attackers to inject JavaScript code that executes in the victim's browser when they view the affected page, potentially leading to session hijacking, credential theft, or redirection to malicious sites.
From an operational impact perspective, this vulnerability poses significant security risks to Zorum 2.4 installations as it enables attackers to compromise user sessions and potentially gain unauthorized access to sensitive information. The attack vector is particularly concerning because it requires no privileged access or authentication, making it easily exploitable by remote attackers. The vulnerability affects the core user management functionality of the application, potentially allowing attackers to manipulate user data, steal cookies, or redirect users to phishing sites, thereby undermining the integrity and confidentiality of the web application's user interactions.
The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and demonstrates characteristics consistent with the ATT&CK technique T1566.001 for initial access through web application attacks. Organizations using Zorum 2.4 should implement immediate mitigations including input validation and output encoding for all user-supplied parameters, particularly those used in dynamic content generation. The recommended approach involves sanitizing the class parameter through proper HTML entity encoding before rendering, implementing Content Security Policy headers, and ensuring all user input undergoes strict validation before being incorporated into web page output. Additionally, regular security audits and code reviews should be conducted to identify similar patterns in other application components that might be susceptible to the same class of vulnerability.