CVE-2002-2424

PHP(Reactor) 1.2.7 pl1 - Cross-Site Scripting via Style Attribute

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-2424. PoCs published by Matthew Murphy.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in php(Reactor) by injecting arbitrary HTML and script code into unsanitized fields. The provided example uses a malicious `<b>` tag with an `expression` attribute to execute JavaScript in the context of the vulnerable website.

Description

Cross-site scripting (XSS) vulnerability in PHP(Reactor) 1.2.7 pl1 allows remote attackers to inject arbitrary web script or HTML via Javascript in the style attribute of an HTML tag.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Matthew Murphy · textwebappsphp

https://www.exploit-db.com/exploits/21755

View Code ZIP pw:eip

This exploit demonstrates a cross-site scripting (XSS) vulnerability in php(Reactor) by injecting arbitrary HTML and script code into unsanitized fields. The provided example uses a malicious `<b>` tag with an `expression` attribute to execute JavaScript in the context of the vulnerable website.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: php(Reactor)

No auth needed

Prerequisites: Access to a field in php(Reactor) that does not sanitize HTML input

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/5569

Third Party Advisory mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2002-08/0262.html

Third Party Advisory vdb-entry x_refsource_xf

http://www.iss.net/security_center/static/9958.php

Scores

EPSS 0.0145

EPSS Percentile 69.9%

Details

CWE

CWE-79

Status published

Products (1)

ekilat_llc/php\(reactor\) 1.27pl1

Published Dec 31, 2002

Tracked Since Feb 18, 2026