CVE-2008-0980

Spyce 2.1.3 - Cross-Site Scripting via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2008-0980. PoCs published by Richard Brain.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in Spyce 2.1.3 by injecting a malicious script into the 'name' parameter of a request. The PoC shows how an attacker can execute arbitrary JavaScript in the context of the affected site.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Spyce - Python Server Pages (PSP) 2.1.3 allow remote attackers to inject arbitrary web script or HTML via (1) the url or type parameter to docs/examples/redirect.spy; (2) the x parameter to docs/examples/handlervalidate.spy; (3) the name parameter to spyce/examples/request.spy; (4) the Name parameter to spyce/examples/getpost.spy; (5) the mytextarea parameter, the mypass parameter, or an empty parameter to spyce/examples/formtag.spy; (6) the newline parameter to the default URI under demos/chat/; (7) the text1 parameter to docs/examples/formintro.spy; or (8) the mytext or mydate parameter to docs/examples/formtag.spy.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Richard Brain · textwebappsphp
https://www.exploit-db.com/exploits/31267

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Spyce 2.1.3 by injecting a malicious script into the 'name' parameter of a request. The PoC shows how an attacker can execute arbitrary JavaScript in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Spyce 2.1.3
No auth needed
Prerequisites: A vulnerable Spyce installation · Ability to craft a malicious URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Richard Brain · textwebappsphp
https://www.exploit-db.com/exploits/31268

This exploit demonstrates a reflected XSS vulnerability in Spyce 2.1.3 by injecting arbitrary JavaScript code via the 'Name' parameter in a GET request. The payload triggers a client-side script execution, potentially leading to session hijacking or information disclosure.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Spyce 2.1.3
No auth needed
Prerequisites: A vulnerable Spyce installation with the affected endpoint accessible
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Richard Brain · textwebappsphp
https://www.exploit-db.com/exploits/31266

This exploit demonstrates a reflected XSS vulnerability in Spyce 2.1.3 by injecting a malicious script via the 'x' parameter in the 'handlervalidate.spy' endpoint. The PoC triggers an alert dialog, proving arbitrary JavaScript execution in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Spyce 2.1.3
No auth needed
Prerequisites: Access to the vulnerable Spyce endpoint · User interaction to trigger the XSS payload
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Richard Brain · textwebappsphp
https://www.exploit-db.com/exploits/31269

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Spyce 2.1.3 by injecting malicious scripts via URL parameters. The PoC shows how an attacker can execute arbitrary JavaScript in the context of the affected site, potentially stealing cookies or disclosing server paths.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Spyce 2.1.3
No auth needed
Prerequisites: Access to a vulnerable Spyce instance
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Richard Brain · textwebappsphp
https://www.exploit-db.com/exploits/31265

This is a writeup describing a cross-site scripting (XSS) vulnerability in Spyce 2.1.3. The vulnerability allows arbitrary script execution in the context of the affected site, potentially leading to credential theft or other client-side attacks.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Spyce 2.1.3
No auth needed
Prerequisites: A vulnerable Spyce installation · Ability to craft a malicious URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/3699
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/488336/100/0/threaded
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/27898

Scores

EPSS 0.0148
EPSS Percentile 70.5%

Details

CWE
CWE-79
Status published
Products (1)
spyce/spyce 2.1.3
Published Feb 25, 2008
Tracked Since Feb 18, 2026