9
We have an increasing number of reports of XOOPS sites hacked, when they use a XOOPS version below 2.0.13 and some sorts of autologin.
The reason for this is that the hole we found in the XML-RPC interface allows for an SQL injection attack where one can find the hashed password for a known username in the database.
With this hash, it is possible to manufacture a cookie that resembles the autologin cookie and grants access as administrator (if the known user is administrator, naturally)
We meant it, when we said that everyone should upgrade to 2.0.13
"When you can flatten entire cities at a whim, a tendency towards quiet reflection and seeing-things-from-the-other-fellow's-point-of-view is seldom necessary."
Cusix Software