CVE-2009-2141

TBDev.NET 01-01-08 - Cross-Site Scripting via Returnto Parameter or User Profile Fields

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2141. PoCs published by intern0t.

AI-analyzed exploit summary This advisory details multiple XSS and HTML injection vulnerabilities in TBDev 01-01-2008, including specific exploit URLs and affected functions. It provides technical insights into the vulnerabilities and suggests mitigation strategies.

Description

Multiple cross-site scripting (XSS) vulnerabilities in TBDev.NET 01-01-08 allow remote attackers to inject arbitrary web script or HTML via (1) the returnto parameter to makepoll.php, (2) the returnto parameter in a delete action to polls.php, or the (3) Info or (4) Avatar field to my.php.

Exploits (1)

exploitdb WRITEUP VERIFIED

by intern0t · textwebappsphp

https://www.exploit-db.com/exploits/8942

View Code ZIP pw:eip

This advisory details multiple XSS and HTML injection vulnerabilities in TBDev 01-01-2008, including specific exploit URLs and affected functions. It provides technical insights into the vulnerabilities and suggests mitigation strategies.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: TBDev 01-01-2008

Auth required

Prerequisites: Access to vulnerable TBDev instance · Valid credentials for some exploits

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit x_refsource_misc

http://forum.intern0t.net/intern0t-advisories/1121-intern0t-tbdev-01-01-2008-multiple-vulnerabilities.html

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/35378

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/8942

Scores

EPSS 0.0148

EPSS Percentile 70.6%

Details

CWE

CWE-79

Status published

Products (1)

tbdev/tbdev.net

Published Jun 22, 2009

Tracked Since Feb 18, 2026