CVE-2009-1458

razorcms < 0.4 - Cross-Site Scripting via slab, catname, or cat Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-1458. PoCs published by Jeremi Gosney.

AI-analyzed exploit summary The exploit demonstrates multiple XSS vulnerabilities in razorCMS 0.3RC2 by injecting malicious JavaScript into URL parameters. The payloads steal cookies and user-agent data, sending them to an attacker-controlled server.

Description

Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php in razorCMS before 0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the slab parameter in an edit action, (2) the catname parameter in a showcats action, and (3) the cat parameter in a reordercat action.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Jeremi Gosney · textwebappsphp

https://www.exploit-db.com/exploits/32924

View Code ZIP pw:eip

The exploit demonstrates multiple XSS vulnerabilities in razorCMS 0.3RC2 by injecting malicious JavaScript into URL parameters. The payloads steal cookies and user-agent data, sending them to an attacker-controlled server.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: razorCMS 0.3RC2

No auth needed

Prerequisites: Access to the target application's admin interface

MITRE ATT&CK