CVE-2006-2397

GPhotos <= 1.5 - Cross-Site Scripting via rep or image Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2006-2397. PoCs published by Morocco Security Team.

AI-analyzed exploit summary The provided text describes an XSS vulnerability in Gphotos due to improper input sanitization. It includes a basic example URL demonstrating the vulnerability but lacks executable exploit code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in GPhotos 1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) rep parameter to (a) index.php or (b) diapo.php or (2) image parameter to (c) affich.php. NOTE: item 1a might be resultant from directory traversal.

Exploits (3)

exploitdb WRITEUP VERIFIED
by Morocco Security Team · textwebappsphp
https://www.exploit-db.com/exploits/27864

The provided text describes an XSS vulnerability in Gphotos due to improper input sanitization. It includes a basic example URL demonstrating the vulnerability but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Gphotos (version unspecified)
No auth needed
Prerequisites: Access to a vulnerable Gphotos instance
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Morocco Security Team · textwebappsphp
https://www.exploit-db.com/exploits/27865

The provided text describes an XSS vulnerability in Gphotos due to improper input sanitization. It includes a sample URL demonstrating the vulnerability but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Gphotos (version unspecified)
No auth needed
Prerequisites: Access to the vulnerable application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Morocco Security Team · textwebappsphp
https://www.exploit-db.com/exploits/27866

The provided text describes a vulnerability in Gphotos (CVE-2006-2397) involving XSS and information disclosure due to improper input sanitization. It includes a generic example URL demonstrating the XSS vulnerability but lacks executable exploit code.

Classification
Writeup 80%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Gphotos (version unspecified)
No auth needed
Prerequisites: Access to the vulnerable Gphotos application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/17967
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/1806
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/25499
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/26426
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/25497
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/25498
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20095
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/433936/100/0/threaded
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/906

Scores

EPSS 0.0276
EPSS Percentile 84.3%

Details

Status published
Products (2)
gphotos/gphotos 1.4
gphotos/gphotos 1.5
Published May 16, 2006
Tracked Since Feb 18, 2026