CVE-2008-6325

Softbiz Classifieds Script - Cross-Site Scripting via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2008-6325. PoCs published by Pouya_Server.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in Softbiz Classifieds Script by injecting malicious JavaScript via the 'keyword' parameter in the URL. The payload bypasses basic sanitization using obfuscation techniques like mixed case and URL encoding.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Softbiz Classifieds Script allow remote attackers to inject arbitrary web script or HTML via the (1) radio parameter to showcategory.php, (2) msg parameter to advertisers/signinform.php, (3) radio parameter to gallery.php, (4) msg parameter to lostpassword.php, (5) radio parameter to showcategory.php, (6) msg parameter to admin/adminhome.php, and (7) msg parameter to admin/index.php. NOTE: a different signinform.php file is already covered by CVE-2008-6306.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Pouya_Server · textwebappsphp
https://www.exploit-db.com/exploits/32612

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Softbiz Classifieds Script by injecting malicious JavaScript via the 'keyword' parameter in the URL. The payload bypasses basic sanitization using obfuscation techniques like mixed case and URL encoding.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Softbiz Classifieds Script
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Pouya_Server · textwebappsphp
https://www.exploit-db.com/exploits/32615

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Softbiz Classifieds Script by injecting arbitrary JavaScript code via the 'msg' parameter in the lostpassword.php page. The payload bypasses basic sanitization using mixed case and URL encoding.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Softbiz Classifieds Script
No auth needed
Prerequisites: Access to the target URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Pouya_Server · textwebappsphp
https://www.exploit-db.com/exploits/32614

This exploit demonstrates a reflected XSS vulnerability in Softbiz Classifieds Script by injecting arbitrary JavaScript via the 'keyword' parameter in the gallery.php page. The payload bypasses basic sanitization using mixed case and URL encoding.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Softbiz Classifieds Script (version unspecified)
No auth needed
Prerequisites: Target application must be running Softbiz Classifieds Script · Victim must visit the crafted URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Pouya_Server · textwebappsphp
https://www.exploit-db.com/exploits/32613

This exploit demonstrates a reflected XSS vulnerability in Softbiz Classifieds Script by injecting arbitrary JavaScript via the 'msg' parameter in the signinform.php page. The PoC uses a crafted URL to trigger an alert dialog, proving the lack of input sanitization.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Softbiz Classifieds Script (version not specified)
No auth needed
Prerequisites: Access to the target URL · User interaction to click the malicious link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Pouya_Server · textwebappsphp
https://www.exploit-db.com/exploits/32617

This exploit demonstrates a reflected XSS vulnerability in Softbiz Classifieds Script by injecting malicious JavaScript via the 'msg' parameter in the admin interface. The payload bypasses basic sanitization by using HTML encoding and line breaks.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Softbiz Classifieds Script (version not specified)
No auth needed
Prerequisites: Access to the admin interface URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Pouya_Server · textwebappsphp
https://www.exploit-db.com/exploits/32616

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Softbiz Classifieds Script by injecting arbitrary JavaScript code via the 'msg' parameter in the adminhome.php page. The payload bypasses basic sanitization by using HTML encoding and line breaks.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Softbiz Classifieds Script (version not specified)
No auth needed
Prerequisites: Access to the vulnerable adminhome.php page
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/47008
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32569
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32828

Scores

EPSS 0.0149
EPSS Percentile 70.7%

Details

CWE
CWE-79
Status published
Products (1)
softbizscripts/classifieds_script
Published Feb 27, 2009
Tracked Since Feb 18, 2026