CVE-2008-7098

Qsoft K-Rate Premium - Cross-Site Scripting via Blog Title/Text, Gallery Description, Forum Message, or Vote Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-7098. PoCs published by Corwin.

AI-analyzed exploit summary The exploit demonstrates SQL injection and XSS vulnerabilities in K-Rate, a picture rating script. It includes functional SQLi payloads for extracting database information and XSS payloads for cookie theft.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Qsoft K-Rate Premium allow remote attackers to inject arbitrary web script or HTML via the blog, possibly the (1) Title and (2) Text fields; (3) the gallery, possibly the Description field in Your Pictures; (4) the forum, possibly the Your Message field when posting a new thread; or (5) the vote parameter in a view action to index.php. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Corwin · textwebappsphp

https://www.exploit-db.com/exploits/6312

View Code ZIP pw:eip

The exploit demonstrates SQL injection and XSS vulnerabilities in K-Rate, a picture rating script. It includes functional SQLi payloads for extracting database information and XSS payloads for cookie theft.

Classification

Working Poc 95%

Attack Type

Sqli | Xss | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: K-Rate (all versions)

Auth required

Prerequisites: Authenticated user access · Target application running K-Rate

MITRE ATT&CK