CVE-2009-3196

php_video_script - Cross-Site Scripting via Key Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3196. PoCs published by Moudi.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in JCE-Tech PHP Video Script by injecting a malicious script via the 'key' parameter in the URL. The script executes arbitrary JavaScript in the context of the affected site, potentially stealing cookies or performing other malicious actions.

Description

Cross-site scripting (XSS) vulnerability in index.php in JCE-Tech PHP Video Script allows remote attackers to inject arbitrary web script or HTML via the key parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Moudi · textwebappsphp

https://www.exploit-db.com/exploits/34887

View Code ZIP pw:eip

This exploit demonstrates a cross-site scripting (XSS) vulnerability in JCE-Tech PHP Video Script by injecting a malicious script via the 'key' parameter in the URL. The script executes arbitrary JavaScript in the context of the affected site, potentially stealing cookies or performing other malicious actions.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: JCE-Tech PHP Video Script

No auth needed

Prerequisites: A vulnerable version of JCE-Tech PHP Video Script · User interaction to visit the crafted URL

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/2440

Exploit x_refsource_misc

http://packetstormsecurity.org/0908-exploits/phpvideoyoutube-xss.txt

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/36483

Scores

EPSS 0.0150

EPSS Percentile 70.9%

Details

CWE

CWE-79

Status published

Products (1)

jce-tech/php_video_script

Published Sep 15, 2009

Tracked Since Feb 18, 2026