CVE-2002-1685

BadBlue 1.7 and 1.7.2 - Cross-Site Scripting via ext.dll ISAPI

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-1685. PoCs published by Matthew Murphy.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in BadBlue's ext.dll ISAPI by injecting JavaScript code via a maliciously crafted URL. The vulnerability arises from insufficient input sanitization, allowing arbitrary script execution in the context of a trusted site.

Description

Cross-site scripting vulnerability (XSS) in BadBlue Enterprise Edition and Personal Edition 1.7 and 1.7.2 allows remote attackers to execute arbitrary script as other users by injecting script into ext.dll ISAPI.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Matthew Murphy · textremotewindows
https://www.exploit-db.com/exploits/21576

This exploit demonstrates a cross-site scripting (XSS) vulnerability in BadBlue's ext.dll ISAPI by injecting JavaScript code via a maliciously crafted URL. The vulnerability arises from insufficient input sanitization, allowing arbitrary script execution in the context of a trusted site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: BadBlue P2P file sharing application (ext.dll ISAPI)
No auth needed
Prerequisites: Target running BadBlue with vulnerable ext.dll ISAPI · Victim interaction (clicking a crafted URL)
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://online.securityfocus.com/archive/1/281088
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/5086
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/9513

Scores

EPSS 0.0729
EPSS Percentile 93.6%

Details

Status published
Products (3)
working_resources_inc./badblue enterprise_1.7.2
working_resources_inc./badblue personal_1.7
working_resources_inc./badblue personal_1.7.2
Published Dec 31, 2002
Tracked Since Feb 18, 2026