CVE-2008-1511

CRITICAL

ooComments 1.0 - Remote File Inclusion via PathToComment Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-1511. PoCs published by ZoRLu.

AI-analyzed exploit summary The provided text describes a remote file inclusion vulnerability in ooComments 1.0, where insufficient sanitization of user-supplied data in the 'PathToComment' parameter allows arbitrary file inclusion. The example URL demonstrates the vulnerability but lacks executable exploit code.

Description

Multiple PHP remote file inclusion vulnerabilities in ooComments 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the PathToComment parameter for (1) classes/class_admin.php and (2) classes/class_comments.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Exploits (2)

exploitdb WRITEUP VERIFIED
by ZoRLu · textwebappsphp
https://www.exploit-db.com/exploits/31470

The provided text describes a remote file inclusion vulnerability in ooComments 1.0, where insufficient sanitization of user-supplied data in the 'PathToComment' parameter allows arbitrary file inclusion. The example URL demonstrates the vulnerability but lacks executable exploit code.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: ooComments 1.0
No auth needed
Prerequisites: Network access to the target application · Vulnerable version of ooComments installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by ZoRLu · textwebappsphp
https://www.exploit-db.com/exploits/31469

The provided text describes a remote file inclusion vulnerability in ooComments 1.0, where insufficient sanitization of user-supplied data in the 'PathToComment' parameter allows arbitrary file inclusion. The example URL demonstrates the vulnerability but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: ooComments 1.0
No auth needed
Prerequisites: Network access to the target application · Target application must be running ooComments 1.0
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/28401

Scores

CVSS v3 9.8
EPSS 0.0291
EPSS Percentile 86.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
oocomments/oocomments 1.0
Published Mar 25, 2008
Tracked Since Feb 18, 2026