CVE-2008-3937

MEDIUM

OpenDb 1.0.6 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2008-3937. PoCs published by C1c4Tr1Z.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in Open Media Collectors Database (OpenDb) by injecting arbitrary JavaScript code via the 'redirect_url' parameter in the user_profile.php page. The PoC uses a simple 'alert(document.cookie)' payload to confirm the vulnerability.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Open Media Collectors Database (OpenDb) 1.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) user_id parameter in an edit action to user_admin.php, the (2) title parameter to listings.php, and the (3) redirect_url parameter to user_profile.php.

Exploits (3)

exploitdb WORKING POC VERIFIED
by C1c4Tr1Z · textwebappsphp
https://www.exploit-db.com/exploits/32315

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Open Media Collectors Database (OpenDb) by injecting arbitrary JavaScript code via the 'redirect_url' parameter in the user_profile.php page. The PoC uses a simple 'alert(document.cookie)' payload to confirm the vulnerability.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Open Media Collectors Database (OpenDb) 1.0.6
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by C1c4Tr1Z · textwebappsphp
https://www.exploit-db.com/exploits/32313

This exploit demonstrates a reflected XSS vulnerability in Open Media Collectors Database (OpenDb) by injecting malicious JavaScript via the 'user_id' parameter in the 'user_admin.php' script. The PoC uses an img tag with an onerror event to execute arbitrary JavaScript, such as stealing cookies.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Open Media Collectors Database (OpenDb) 1.0.6
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by C1c4Tr1Z · textwebappsphp
https://www.exploit-db.com/exploits/32314

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Open Media Collectors Database (OpenDb) 1.0.6. The vulnerability arises from insufficient sanitization of user-supplied input in the 'title' parameter, allowing arbitrary JavaScript execution in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Open Media Collectors Database (OpenDb) 1.0.6
No auth needed
Prerequisites: A vulnerable version of OpenDb · User interaction to trigger the XSS payload
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/30989
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/31719

Scores

CVSS v3 6.1
EPSS 0.0136
EPSS Percentile 68.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
opendb/opendb 1.0.6
Published Sep 05, 2008
Tracked Since Feb 18, 2026