CVE-2006-7072

GeoClassifieds Enterprise <= 2.0.5.2 - Cross-Site Scripting via b[username] or c Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-7072. PoCs published by EllipSiS Security.

AI-analyzed exploit summary This exploit demonstrates multiple XSS vulnerabilities in GeoClassifieds Enterprise by injecting arbitrary script code into user-supplied input fields. The PoC includes URLs and POST requests that trigger the vulnerabilities without requiring authentication.

Description

Cross-site scripting (XSS) vulnerability in GeoClassifieds Enterprise 2.0.5.2 and earlier allows remote attackers to inject arbitrary web script and HTML via the (1) b[username] and (2) c parameters to (a) index.php, the b[username] parameter to (b) admin/index.php, and (3) c[phone] parameter to register.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by EllipSiS Security · textwebappsphp

https://www.exploit-db.com/exploits/28292

View Code ZIP pw:eip

This exploit demonstrates multiple XSS vulnerabilities in GeoClassifieds Enterprise by injecting arbitrary script code into user-supplied input fields. The PoC includes URLs and POST requests that trigger the vulnerabilities without requiring authentication.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: GeoClassifieds Enterprise 2.0.5.2 and prior

No auth needed

Prerequisites: Access to the target web application

MITRE ATT&CK