CVE-2007-0768

Yahoo Messenger < 8.1.0.209 - Stored Cross-Site Scripting via Contact Details IMG SRC Attribute

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-0768. PoCs published by Hai Nam Luke.

AI-analyzed exploit summary This exploit leverages an HTML injection vulnerability in Yahoo! Messenger by embedding malicious JavaScript in the 'Lastname' field. When the victim accepts the contact request and interacts with the attacker, the script executes in the context of the victim's browser.

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Contact Details functionality in Yahoo! Messenger 8.1.0.209 and earlier allow user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SRC attribute of an IMG element to the (1) First Name, (2) Last Name, and (3) Nickname fields. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Hai Nam Luke · textdoswindows

https://www.exploit-db.com/exploits/29531

View Code ZIP pw:eip

This exploit leverages an HTML injection vulnerability in Yahoo! Messenger by embedding malicious JavaScript in the 'Lastname' field. When the victim accepts the contact request and interacts with the attacker, the script executes in the context of the victim's browser.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Yahoo! Messenger versions prior to 2.1.0.29

Auth required

Prerequisites: Attacker must create a Yahoo! Messenger account · Victim must accept the attacker's contact request · Victim must interact with the attacker's message or status change

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →