CVE-2006-5830

Aiocp - Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2006-5830. PoCs published by laurent gaffie.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in All In One Control Panel (AIOCP) by injecting a malicious script via the 'order_field' parameter in 'cp_users_online.php'. The script steals cookie-based authentication credentials when executed in the context of the application.

Description

Multiple cross-site scripting (XSS) vulnerabilities in All In One Control Panel (AIOCP) 1.3.007 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) topid, (2) forid, and (3) catid parameters to code/cp_forum_view.php; (4) choosed_language parameter to cp_dpage.php; (5) orderdir parameter to cp_links_search.php; (6) order_field parameter to (a) cp_show_ec_products.php and (b) cp_users_online.php; and the (7) signature and (8) fiscal code fields in the user profile.

Exploits (5)

exploitdb WORKING POC VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28920

This exploit demonstrates a reflected XSS vulnerability in All In One Control Panel (AIOCP) by injecting a malicious script via the 'order_field' parameter in 'cp_users_online.php'. The script steals cookie-based authentication credentials when executed in the context of the application.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: All In One Control Panel (AIOCP) 1.3.007 and prior
No auth needed
Prerequisites: Access to the vulnerable endpoint 'cp_users_online.php'
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28919

This exploit demonstrates a reflected XSS vulnerability in All In One Control Panel (AIOCP) by injecting a malicious script via the 'order_field' parameter. The script executes in the context of the application, potentially stealing cookie-based authentication credentials.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: All In One Control Panel (AIOCP) 1.3.007 and prior
No auth needed
Prerequisites: Access to the vulnerable endpoint · User interaction to trigger the payload
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28921

This exploit demonstrates a reflected XSS vulnerability in All In One Control Panel (AIOCP) by injecting a malicious script via the 'orderdir' parameter. The script executes in the context of the application, potentially stealing cookie-based authentication credentials.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: All In One Control Panel (AIOCP) 1.3.007 and prior
No auth needed
Prerequisites: Access to the vulnerable endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28917

This exploit demonstrates multiple reflected XSS vulnerabilities in All In One Control Panel (AIOCP) by injecting malicious JavaScript via unsanitized input parameters. The PoC uses crafted URLs to execute arbitrary script code in the context of the application, potentially stealing cookie-based authentication credentials.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: All In One Control Panel (AIOCP) 1.3.007 and prior
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28918

This exploit demonstrates a reflected XSS vulnerability in All In One Control Panel (AIOCP) by injecting a malicious script via the 'choosed_language' parameter. The script executes in the context of the application, potentially stealing cookie-based authentication credentials.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: All In One Control Panel (AIOCP) 1.3.007 and prior
No auth needed
Prerequisites: Access to the vulnerable endpoint · User interaction to trigger the payload
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4378
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/450701/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30045
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30048
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/1839
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22719
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20931

Scores

EPSS 0.0236
EPSS Percentile 81.6%

Details

Status published
Products (8)
aiocp/aiocp 1.3.000
aiocp/aiocp 1.3.001
aiocp/aiocp 1.3.002
aiocp/aiocp 1.3.003
aiocp/aiocp 1.3.004
aiocp/aiocp 1.3.005
aiocp/aiocp 1.3.006
aiocp/aiocp 1.3.007
Published Nov 10, 2006
Tracked Since Feb 18, 2026