CVE-2008-6982

NUCLEI

devalcms 1.4a - Cross-Site Scripting via currentpath Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6982. PoCs published by Khashayar Fereidani. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets a file inclusion vulnerability in devalcms v1.4a by injecting malicious PHP code into the 'hitcounter.php' file via a null-byte termination attack. It then verifies the injection by checking the HTTP response.

Description

Cross-site scripting (XSS) vulnerability in index.php in devalcms 1.4a allows remote attackers to inject arbitrary web script or HTML via the currentpath parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Khashayar Fereidani · pythonwebappsphp
https://www.exploit-db.com/exploits/6369

This exploit targets a file inclusion vulnerability in devalcms v1.4a by injecting malicious PHP code into the 'hitcounter.php' file via a null-byte termination attack. It then verifies the injection by checking the HTTP response.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: devalcms v1.4a
No auth needed
Prerequisites: Target running devalcms v1.4a · Network access to the target web server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Devalcms 1.4a - Cross-Site Scripting
MEDIUMVERIFIEDby arafatansari

References (5)

Core 5
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/31037
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/47971
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6369
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44940

Scores

EPSS 0.0859
EPSS Percentile 92.6%

Details

CWE
CWE-79
Status published
Products (1)
devalcms/devalcms 1.4a
Published Aug 19, 2009
Tracked Since Feb 18, 2026