CVE-2002-0931

MyHelpDesk < 2002-05-09 - Cross-Site Scripting via Ticket Title, Description, or ID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2002-0931. PoCs published by Ahmet Sabri ALPER.

AI-analyzed exploit summary The provided text describes a vulnerability in MyHelpDesk where HTML injection is possible due to improper sanitization of form fields. This allows attackers to execute arbitrary HTML and script code in the context of the vulnerable site.

Description

Cross-site scripting vulnerabilities in MyHelpDesk 20020509, and possibly other versions, allows remote attackers to execute script as other users via a (1) Title or (2) Description when a new ticket is created by a support assistant, via the "id" parameter to the index.php script with the (3) tickettime, (4) ticketfiles, or (5) updateticketlog operations, or (6) via the update section when a ticket is edited.

Exploits (2)

exploitdb WRITEUP VERIFIED
by Ahmet Sabri ALPER · textwebappsphp
https://www.exploit-db.com/exploits/21519

The provided text describes a vulnerability in MyHelpDesk where HTML injection is possible due to improper sanitization of form fields. This allows attackers to execute arbitrary HTML and script code in the context of the vulnerable site.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: MyHelpDesk (version not specified)
No auth needed
Prerequisites: Access to form fields or URL parameters in MyHelpDesk
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Ahmet Sabri ALPER · textwebappsphp
https://www.exploit-db.com/exploits/21526

The provided text describes a cross-site scripting (XSS) vulnerability in MyHelpDesk, where unsanitized CGI parameters allow execution of arbitrary HTML/JS code. The example demonstrates a simple alert-based XSS payload.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: MyHelpDesk (version unspecified)
No auth needed
Prerequisites: Victim interaction (clicking a malicious link)
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Vendor Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/9320.php
Exploit, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/4970
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0057.html
Exploit, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/4967
Vendor Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/9319.php

Scores

EPSS 0.0307
EPSS Percentile 85.9%

Details

Status published
Products (1)
luis_bernardo/myhelpdesk < 2002-05-09
Published Oct 04, 2002
Tracked Since Feb 18, 2026