CVE-2006-1034

Woltlab Burning Board - Cross-Site Scripting via Username Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-1034. PoCs published by botan.

AI-analyzed exploit summary The provided text describes a cross-site scripting (XSS) vulnerability in Woltlab Burning Board, where user-supplied input is not properly sanitized. The example URL demonstrates how arbitrary script code could be executed in the context of the affected site.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Woltlab Burning Board (wBB) allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter to galerie_index.php and possibly (2) galerie_onfly.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. The second vector might not be XSS.

Exploits (2)

exploitdb WRITEUP VERIFIED
by botan · textwebappsphp
https://www.exploit-db.com/exploits/27323

The provided text describes a cross-site scripting (XSS) vulnerability in Woltlab Burning Board, where user-supplied input is not properly sanitized. The example URL demonstrates how arbitrary script code could be executed in the context of the affected site.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Woltlab Burning Board
No auth needed
Prerequisites: Access to a vulnerable instance of Woltlab Burning Board
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by botan · textwebappsphp
https://www.exploit-db.com/exploits/27322

This exploit demonstrates a reflected XSS vulnerability in Woltlab Burning Board due to insufficient input sanitization. The PoC injects a script tag into the 'username' parameter to execute arbitrary JavaScript in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Woltlab Burning Board
No auth needed
Prerequisites: Access to a vulnerable Woltlab Burning Board instance · User interaction to click a crafted URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/16843

Scores

EPSS 0.0139
EPSS Percentile 68.7%

Details

Status published
Products (13)
woltlab/burning_board 1.1.1
woltlab/burning_board 2.0_beta_3
woltlab/burning_board 2.0_beta_4
woltlab/burning_board 2.0_beta_5
woltlab/burning_board 2.0_rc1
woltlab/burning_board 2.0_rc2
woltlab/burning_board 2.2.2
woltlab/burning_board 2.3.1
woltlab/burning_board 2.3.3
woltlab/burning_board 2.4
... and 3 more
Published Mar 07, 2006
Tracked Since Feb 18, 2026