CVE-2006-0787

Plaino Wimpy MP3 Player <5.2 - XSS

Title source: llm
STIX 2.1

Description

wimpy_trackplays.php in Plaino Wimpy MP3 Player, possibly 5.2 and earlier, allows remote attackers to insert arbitrary strings into trackme.txt via the (1) trackFile, (2) trackArtist, and (3) trackTitle parameters, which can result in providing false information about songs, occupying excessive disk space with very long parameter values, and storing executable code that might be invoked through a different vulnerability. NOTE: since this issue, as described by the original researcher, is entirely dependent on the presence of another vulnerability, it could be argued that Wimpy cannot be responsible for how its data file is processed by applications outside of its control. Since this issue might only be useful as a facilitator manipulation in another vulnerability, perhaps it should not be included in CVE.

Exploits (1)

exploitdb WORKING POC VERIFIED
by ReZEN · textremotelinux
https://www.exploit-db.com/exploits/27244

References (4)

Core 4
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/16696
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18900
Exploit, Vendor Advisory x_refsource_misc
http://www.xorcrew.net/xpa/XPA-WimpyMP3Player.txt
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/24770

Scores

EPSS 0.0443
EPSS Percentile 89.1%

Details

Status published
Products (1)
plaino/wimpy_mp3 < 5.2
Published Feb 19, 2006
Tracked Since Feb 18, 2026