CVE-2009-0455

glFusion < 1.1.1 - Cross-Site Scripting via Anonymous Comments Username Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-0455. PoCs published by Bjarne Mathiesen Schacht.

AI-analyzed exploit summary This exploit demonstrates an HTML injection vulnerability in glFusion by injecting a malicious script via the 'username' parameter in a POST request to comment.php. The payload bypasses sanitization and executes arbitrary JavaScript in the context of the affected site.

Description

Cross-site scripting (XSS) vulnerability in the anonymous comments feature in lib-comment.php in glFusion 1.1.0, 1.1.1, and earlier versions allows remote attackers to inject arbitrary web script or HTML via the username parameter to comment.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Bjarne Mathiesen Schacht · textwebappsphp

https://www.exploit-db.com/exploits/32784

View Code ZIP pw:eip

This exploit demonstrates an HTML injection vulnerability in glFusion by injecting a malicious script via the 'username' parameter in a POST request to comment.php. The payload bypasses sanitization and executes arbitrary JavaScript in the context of the affected site.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: glFusion 1.1.0 and 1.1.1

No auth needed

Prerequisites: Access to the target's comment.php endpoint

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources x_refsource_misc

http://www.fortconsult.net/images/pdf/advisories/glFusion-xss-advisory.pdf

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/33878

Vendor Advisory x_refsource_confirm

http://www.glfusion.org/article.php/xsscomments

Exploit, Patch vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/33683

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/48603

Scores

EPSS 0.0175

EPSS Percentile 82.8%

Details

CWE

CWE-79

Status published

Products (2)

glfusion/glfusion 1.1.0

glfusion/glfusion < 1.1.1

Published Feb 11, 2009

Tracked Since Feb 18, 2026