CVE-2008-2566

php-address_book < 3.1.5 - Cross-Site Scripting via Group Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-2566. PoCs published by CWH Underground.

AI-analyzed exploit summary The exploit demonstrates SQL injection and XSS vulnerabilities in PHP-Address Book <= 3.1.5. It provides functional exploit URLs for SQLi via union-based injection in view.php and edit.php, and XSS via the 'group' parameter in index.php.

Description

Multiple cross-site scripting (XSS) vulnerabilities in PHP Address Book 3.1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the group parameter to (1) index.php or (2) the default URI.

Exploits (2)

exploitdb WORKING POC VERIFIED

by CWH Underground · textwebappsphp

https://www.exploit-db.com/exploits/5739

View Code ZIP pw:eip

The exploit demonstrates SQL injection and XSS vulnerabilities in PHP-Address Book <= 3.1.5. It provides functional exploit URLs for SQLi via union-based injection in view.php and edit.php, and XSS via the 'group' parameter in index.php.

Classification

Working Poc 95%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: PHP-Address Book <= 3.1.5

No auth needed

Prerequisites: Access to the target web application

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/18578