CVE-2009-0323

W3C Amaya < 11.0 - Remote Code Execution via Long Input Tag Type Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2009-0323. PoCs published by Metasploit, Core Security, dookie, original exploit by Rob Carter, including Metasploit module exploits/windows/browser/amaya_bdo.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in Amaya Browser v11 via an overly long string in the 'bdo' tag, allowing arbitrary code execution. It uses a crafted HTTP response with shellcode to trigger the vulnerability.

Description

Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0 and 11.0 allow remote attackers to execute arbitrary code via (1) a long type parameter in an input tag, which is not properly handled by the EndOfXmlAttributeValue function; (2) an "HTML GI" in a start tag, which is not properly handled by the ProcessStartGI function; and unspecified vectors in (3) html2thot.c and (4) xml2thot.c, related to the msgBuffer variable. NOTE: these are different vectors than CVE-2008-6005.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16548

This exploit targets a stack buffer overflow in Amaya Browser v11 via an overly long string in the 'bdo' tag, allowing arbitrary code execution. It uses a crafted HTTP response with shellcode to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Amaya Browser v11
No auth needed
Prerequisites: Target must be using Amaya Browser v11 · Target must visit a malicious webpage or be directed to the exploit server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Core Security · textdoswindows
https://www.exploit-db.com/exploits/7902

The advisory describes multiple stack-based buffer overflow vulnerabilities in Amaya web editor versions 11.0 and earlier, exploitable via crafted HTML/XML input. The PoC demonstrates a buffer overflow in the 'type' parameter of an 'input' tag, leading to potential arbitrary code execution.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Amaya web editor 11.0 and earlier
No auth needed
Prerequisites: Victim must visit a crafted web page
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by dookie, original exploit by Rob Carter · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/amaya_bdo.rb

This Metasploit module exploits a stack buffer overflow in Amaya Browser v11.0 via an overly long string in the 'bdo' tag, allowing arbitrary code execution. The exploit uses SEH overwrites and a crafted payload to achieve RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Amaya Browser v11.0
No auth needed
Prerequisites: Victim must visit a malicious webpage hosted by the attacker
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/500492/100/0/threaded
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7902
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/48325

Scores

EPSS 0.7354
EPSS Percentile 98.8%

Details

CWE
CWE-119
Status published
Products (50)
w3/amaya 0.9
w3/amaya 0.95b
w3/amaya 1.0
w3/amaya 1.0a
w3/amaya 1.1
w3/amaya 1.1a
w3/amaya 1.1c
w3/amaya 1.2
w3/amaya 1.2a
w3/amaya 1.3
... and 40 more
Published Jan 28, 2009
Tracked Since Feb 18, 2026