CVE-2008-0438

Novemberborn sIFR 2.0.2 - Cross-Site Scripting via txt Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-0438. PoCs published by Jan Fry.

AI-analyzed exploit summary The exploit demonstrates a cross-site scripting (XSS) vulnerability in Novemberborn sIFR by crafting a malicious URL that injects arbitrary JavaScript code via the 'txt' parameter in the SWF file. This allows an attacker to execute scripts in the context of the affected site, potentially stealing cookies or performing other malicious actions.

Description

Cross-site scripting (XSS) vulnerability in the font rendering functionality in Novemberborn sIFR 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the txt parameter to a Flash (SWF) file, as demonstrated by fonts/FuturaLt.swf.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Jan Fry · textremotemultiple

https://www.exploit-db.com/exploits/31047

View Code ZIP pw:eip

The exploit demonstrates a cross-site scripting (XSS) vulnerability in Novemberborn sIFR by crafting a malicious URL that injects arbitrary JavaScript code via the 'txt' parameter in the SWF file. This allows an attacker to execute scripts in the context of the affected site, potentially stealing cookies or performing other malicious actions.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Novemberborn sIFR versions prior to 2.0.3 and 3r278

No auth needed

Prerequisites: A vulnerable version of Novemberborn sIFR · User interaction to click the malicious link

MITRE ATT&CK