CVE-2006-2109

JSBoard < 2.0.12 - Cross-Site Scripting via parse_query_str Function

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-2109. PoCs published by Alexander Klink.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in JSBoard due to insufficient input sanitization. The PoC shows how an attacker can inject arbitrary JavaScript code via the 'table' parameter in the login.php URL to steal cookies.

Description

Cross-site scripting (XSS) vulnerability in the parse_query_str function in include/print.php in JSBoard 2.0.10 and 2.0.11, and possibly other versions before 2.0.12, allows remote attackers to inject arbitrary web script or HTML via parameters that are set as global variables within the program, as demonstrated using the table parameter to login.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Alexander Klink · textwebappsphp

https://www.exploit-db.com/exploits/27794

View Code ZIP pw:eip

This exploit demonstrates a cross-site scripting (XSS) vulnerability in JSBoard due to insufficient input sanitization. The PoC shows how an attacker can inject arbitrary JavaScript code via the 'table' parameter in the login.php URL to steal cookies.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: JSBoard (version not specified)

No auth needed

Prerequisites: Access to the vulnerable JSBoard login.php endpoint

MITRE ATT&CK