CVE-2008-6259

QuadComm Q-Shop < 3.0 - Cross-Site Scripting via search.asp srkeys Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6259. PoCs published by Bl@ckbe@rD.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass via SQL injection and a stored XSS vulnerability in Q-Shop v3.0. The SQL injection allows unauthenticated login by manipulating the UserID and Pwd parameters, while the XSS exploit injects arbitrary JavaScript via the search functionality.

Description

Cross-site scripting (XSS) vulnerability in search.asp in QuadComm Q-Shop 3.0, and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the srkeys parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Bl@ckbe@rD · textwebappsasp
https://www.exploit-db.com/exploits/7141

This exploit demonstrates an authentication bypass via SQL injection and a stored XSS vulnerability in Q-Shop v3.0. The SQL injection allows unauthenticated login by manipulating the UserID and Pwd parameters, while the XSS exploit injects arbitrary JavaScript via the search functionality.

Classification
Working Poc 90%
Attack Type
Sqli | Xss | Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Q-Shop v3.0 (possibly prior versions)
No auth needed
Prerequisites: Target running Q-Shop v3.0 with exposed users.asp and search.asp endpoints
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/46650
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7141
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32329
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32742

Scores

EPSS 0.0161
EPSS Percentile 72.7%

Details

CWE
CWE-79
Status published
Products (1)
quadcomm/q-shop < 3.0
Published Feb 24, 2009
Tracked Since Feb 18, 2026