CVE-2009-1408

webSPELL 4.2.0c - Cross-Site Scripting via Nested BBcode Tags

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-1408. PoCs published by YEnH4ckEr.

AI-analyzed exploit summary This exploit demonstrates an XSS vulnerability in webSPELL 4.2.0c by bypassing BBCode filters to inject malicious JavaScript, enabling cookie theft. The PoC includes payloads for both Firefox and IE, along with a PHP script to capture stolen cookies.

Description

Cross-site scripting (XSS) vulnerability in webSPELL 4.2.0c allows remote attackers to inject arbitrary web script or HTML allows remote attackers to inject arbitrary web script or HTML via Javascript events such as onmouseover in nested BBcode tags, as demonstrated using (1) email, (2) img, and (3) url tags.

Exploits (1)

exploitdb WORKING POC VERIFIED

by YEnH4ckEr · textwebappsphp

https://www.exploit-db.com/exploits/8453

View Code ZIP pw:eip

This exploit demonstrates an XSS vulnerability in webSPELL 4.2.0c by bypassing BBCode filters to inject malicious JavaScript, enabling cookie theft. The PoC includes payloads for both Firefox and IE, along with a PHP script to capture stolen cookies.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: webSPELL 4.2.0c

No auth needed

Prerequisites: Victim interaction required (e.g., hovering over injected content)

MITRE ATT&CK