CVE-2008-0398

aflog < 1.01 - Cross-Site Scripting via Comment Form

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-0398. PoCs published by shinmai.

AI-analyzed exploit summary This is a technical writeup detailing SQL injection and XSS vulnerabilities in aflog 1.01. It provides specific exploit examples, including a SQLi payload to extract admin credentials and an XSS payload to steal cookies.

Description

Cross-site scripting (XSS) vulnerability in aflog 1.01, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the comment form.

Exploits (1)

exploitdb WRITEUP VERIFIED

by shinmai · textwebappsphp

https://www.exploit-db.com/exploits/4958

View Code ZIP pw:eip

This is a technical writeup detailing SQL injection and XSS vulnerabilities in aflog 1.01. It provides specific exploit examples, including a SQLi payload to extract admin credentials and an XSS payload to steal cookies.

Classification

Writeup 90%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: aflog 1.01 (and possibly earlier)

No auth needed

Prerequisites: Access to the target application · Ability to craft malicious URLs

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2008/0255

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/28594

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/4958

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/27398

Scores

EPSS 0.0144

EPSS Percentile 70.0%

Details

CWE

CWE-79

Status published

Products (1)

aflog/aflog < 1.01

Published Jan 23, 2008

Tracked Since Feb 18, 2026