CVE-2008-7085

HockeySTATS Online 2.0 - SQL Injection via id or divid Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-7085. PoCs published by Mr.SQL.

AI-analyzed exploit summary This exploit demonstrates a remote SQL injection vulnerability in Hockeystats Online V BASIC & ADVANCED. It leverages improper input sanitization in the 'id' and 'divid' parameters to extract user credentials via UNION-based SQLi.

Description

Multiple SQL injection vulnerabilities in TheHockeyStop HockeySTATS Online 2.0 Basic and Advanced allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in the viewpage action to the default URI, probably index.php, or (2) divid parameter in the schedule action to index.php.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Mr.SQL · textwebappsphp
https://www.exploit-db.com/exploits/6084

This exploit demonstrates a remote SQL injection vulnerability in Hockeystats Online V BASIC & ADVANCED. It leverages improper input sanitization in the 'id' and 'divid' parameters to extract user credentials via UNION-based SQLi.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Hockeystats Online V BASIC & ADVANCED
No auth needed
Prerequisites: Access to the vulnerable web application · Knowledge of the target database schema
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/43852
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6084
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/30248

Scores

EPSS 0.0013
EPSS Percentile 31.5%

Details

CWE
CWE-89
Status published
Products (1)
thehockeystop/hockeystats_online 2.0 (2 CPE variants)
Published Aug 26, 2009
Tracked Since Feb 18, 2026