CVE-2008-3668

Yogurt Social Network module 3.2 rc1 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2008-3668. PoCs published by Lostmon.

AI-analyzed exploit summary The exploit demonstrates a reflected XSS vulnerability in Yogurt Social Network by injecting a script tag into the 'uid' parameter of the tribes.php module. The lack of input sanitization allows arbitrary JavaScript execution in the context of the affected site.

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Yogurt Social Network module 3.2 rc1 for XOOPS allow remote attackers to inject arbitrary web script or HTML via the uid parameter to (1) friends.php, (2) seutubo.php, (3) album.php, (4) scrapbook.php, (5) index.php, or (6) tribes.php; or (7) the description field of a new scrap.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Lostmon · textwebappsphp
https://www.exploit-db.com/exploits/32203

The exploit demonstrates a reflected XSS vulnerability in Yogurt Social Network by injecting a script tag into the 'uid' parameter of the tribes.php module. The lack of input sanitization allows arbitrary JavaScript execution in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Yogurt Social Network 3.2 rc1
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Lostmon · textwebappsphp
https://www.exploit-db.com/exploits/32199

The exploit demonstrates a reflected XSS vulnerability in Yogurt Social Network 3.2 rc1 by injecting a script tag into the 'uid' parameter of the 'seutubo.php' module. The lack of input sanitization allows arbitrary JavaScript execution in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Yogurt Social Network 3.2 rc1
No auth needed
Prerequisites: Access to the vulnerable 'seutubo.php' endpoint · User interaction to trigger the XSS payload
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Lostmon · textwebappsphp
https://www.exploit-db.com/exploits/32201

The exploit demonstrates a reflected XSS vulnerability in Yogurt Social Network by injecting a script tag into the 'uid' parameter of the scrapbook.php module. The lack of input sanitization allows arbitrary JavaScript execution in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Yogurt Social Network 3.2 rc1
No auth needed
Prerequisites: Access to the vulnerable scrapbook.php endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Lostmon · textwebappsphp
https://www.exploit-db.com/exploits/32202

The exploit demonstrates a reflected XSS vulnerability in Yogurt Social Network by injecting a script tag into the 'uid' parameter of the index.php file. The lack of input sanitization allows arbitrary JavaScript execution in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Yogurt Social Network 3.2 rc1
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Lostmon · textwebappsphp
https://www.exploit-db.com/exploits/32198

The exploit demonstrates a reflected XSS vulnerability in Yogurt Social Network 3.2 rc1 by injecting a script tag into the 'uid' parameter of the friends.php module. The PoC shows how arbitrary JavaScript can be executed in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Yogurt Social Network 3.2 rc1
No auth needed
Prerequisites: Access to the vulnerable friends.php endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Lostmon · textwebappsphp
https://www.exploit-db.com/exploits/32200

The exploit demonstrates a reflected XSS vulnerability in Yogurt Social Network 3.2 rc1 by injecting a script tag into the 'uid' parameter of the album.php module. The lack of input sanitization allows arbitrary JavaScript execution in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Yogurt Social Network 3.2 rc1
No auth needed
Prerequisites: Access to the vulnerable album.php endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44387
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/30618
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44385
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/30619

Scores

EPSS 0.0154
EPSS Percentile 71.5%

Details

CWE
CWE-79
Status published
Products (1)
marcello_brandao/yogurt_social_network_module 3.2 rc1
Published Aug 13, 2008
Tracked Since Feb 18, 2026