CVE-2009-3195

JCE-Tech Auction RSS Content Script 3.0 - Cross-Site Scripting via id Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-3195. PoCs published by Moudi.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in JCE-Tech Auction RSS Content Script by injecting a malicious script into the 'id' parameter of search.php. The script executes arbitrary JavaScript in the context of the affected site, potentially stealing cookies.

Description

Multiple cross-site scripting (XSS) vulnerabilities in JCE-Tech Auction RSS Content Script 3.0 allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) rss.php and (2) search.php.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Moudi · textwebappsphp

https://www.exploit-db.com/exploits/34886

View Code ZIP pw:eip

This exploit demonstrates a cross-site scripting (XSS) vulnerability in JCE-Tech Auction RSS Content Script by injecting a malicious script into the 'id' parameter of search.php. The script executes arbitrary JavaScript in the context of the affected site, potentially stealing cookies.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: JCE-Tech Auction RSS Content Script

No auth needed

Prerequisites: Access to the vulnerable search.php endpoint

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Moudi · textwebappsphp

https://www.exploit-db.com/exploits/34885

View Code ZIP pw:eip

This exploit demonstrates a cross-site scripting (XSS) vulnerability in JCE-Tech Auction RSS Content Script by injecting a malicious script via the 'id' parameter in the URL. The script executes arbitrary JavaScript in the context of the affected site, potentially stealing cookies or performing other malicious actions.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: JCE-Tech Auction RSS Content Script

No auth needed

Prerequisites: Access to the vulnerable web application

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/2444

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/36490

Exploit x_refsource_misc

http://packetstormsecurity.org/0908-exploits/auctionrsscs-xss.txt

Scores

EPSS 0.0152

EPSS Percentile 71.4%

Details

CWE

CWE-79

Status published

Products (1)

jce-tech/auction_rss_content_script 3.0

Published Sep 15, 2009

Tracked Since Feb 18, 2026