CVE-2009-3513

Pilot Group pg_etraining - Cross-Site Scripting via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2009-3513. PoCs published by Moudi.

AI-analyzed exploit summary The provided text describes a cross-site scripting (XSS) vulnerability in PG eTraining, where user-supplied input is not properly sanitized. The example demonstrates how an attacker could inject malicious script code via the 'id' parameter in the 'news_read.php' URL.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Pilot Group (PG) eTraining allow remote attackers to inject arbitrary web script or HTML via (1) the cat_id parameter to courses_login.php, the id parameter to (2) news_read.php or (3) lessons_login.php, or (4) the cur parameter in a start action to lessons_login.php.

Exploits (3)

exploitdb WRITEUP VERIFIED
by Moudi · textwebappsphp
https://www.exploit-db.com/exploits/33120

The provided text describes a cross-site scripting (XSS) vulnerability in PG eTraining, where user-supplied input is not properly sanitized. The example demonstrates how an attacker could inject malicious script code via the 'id' parameter in the 'news_read.php' URL.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: PG eTraining (version not specified)
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Moudi · textwebappsphp
https://www.exploit-db.com/exploits/33121

The provided text describes a cross-site scripting (XSS) vulnerability in PG eTraining, where user-supplied data is insufficiently sanitized in the 'lessons_login.php' script. The vulnerability allows arbitrary script execution in the context of the affected site.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PG eTraining
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Moudi · textwebappsphp
https://www.exploit-db.com/exploits/33119

The provided text describes a cross-site scripting (XSS) vulnerability in PG eTraining, where the 'cat_id' parameter in 'courses_login.php' is not properly sanitized. This allows arbitrary script execution in the context of the affected site.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PG eTraining
No auth needed
Prerequisites: Access to the vulnerable URL parameter
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35834
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/52072

Scores

EPSS 0.0150
EPSS Percentile 71.0%

Details

CWE
CWE-79
Status published
Products (1)
pilotgroup/pg_etraining
Published Oct 01, 2009
Tracked Since Feb 18, 2026