CVE-2008-3758

Lussumo Vanilla <= 1.1.4 - Cross-Site Scripting (XSS) via NewPassword, Account Picture, and Icon Fields

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-3758. PoCs published by GulfTech Security.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in Vanilla 1.1.4 by injecting a malicious script via the 'NewPassword' parameter in the URL. The script executes arbitrary JavaScript in the context of the affected site, potentially stealing cookies or manipulating the page.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Lussumo Vanilla 1.1.4 and earlier (1) allow remote attackers to inject arbitrary web script or HTML via the NewPassword parameter to people.php, and allow remote authenticated users to inject arbitrary web script or HTML via the (2) Account picture and (3) Icon fields in account.php. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WORKING POC VERIFIED

by GulfTech Security · textwebappsphp

https://www.exploit-db.com/exploits/32279

View Code ZIP pw:eip

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Vanilla 1.1.4 by injecting a malicious script via the 'NewPassword' parameter in the URL. The script executes arbitrary JavaScript in the context of the affected site, potentially stealing cookies or manipulating the page.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Vanilla 1.1.4

No auth needed

Prerequisites: Access to the target URL · User interaction to trigger the payload

MITRE ATT&CK