CVE-2002-0902

phpBB 2.0.0 - Stored Cross-Site Scripting via IMG Tag Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-0902. PoCs published by Martijn Boerwinkel.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in phpBB2 via BBCode image tags. The attacker can inject arbitrary HTML/JavaScript by closing the HTML statement with a double-quotation character.

Description

Cross-site scripting vulnerability in phpBB 2.0.0 (phpBB2) allows remote attackers to execute Javascript as other phpBB users by including a http:// and a double-quote (") in the [IMG] tag, which bypasses phpBB's security check, terminates the src parameter of the resulting HTML IMG tag, and injects the script.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Martijn Boerwinkel · textwebappsphp
https://www.exploit-db.com/exploits/21486

This is a writeup describing a stored XSS vulnerability in phpBB2 via BBCode image tags. The attacker can inject arbitrary HTML/JavaScript by closing the HTML statement with a double-quotation character.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: phpBB2 and prior versions
Auth required
Prerequisites: Ability to post messages in a phpBB2 forum
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/4858
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://online.securityfocus.com/archive/1/274273
Patch, Vendor Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/9178.php

Scores

EPSS 0.0716
EPSS Percentile 93.5%

Details

Status published
Products (6)
phpbb_group/phpbb 2.0.0
phpbb_group/phpbb 2.0_beta1
phpbb_group/phpbb 2.0_rc1
phpbb_group/phpbb 2.0_rc2
phpbb_group/phpbb 2.0_rc3
phpbb_group/phpbb 2.0_rc4
Published Oct 04, 2002
Tracked Since Feb 18, 2026