CVE-2009-3789
OpenDocMan 1.2.5 - Cross-Site Scripting via Multiple Parameters
Title source: llmExploitation Summary
EIP tracks 12 public exploits for CVE-2009-3789. PoCs published by Amol Naik.
AI-analyzed exploit summary The provided text describes an SQL injection and XSS vulnerability in OpenDocMan 1.2.5, including a sample XSS payload. It lacks executable exploit code but details the vulnerability and potential impact.
Description
Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the last_message parameter to (1) add.php, (2) toBePublished.php, (3) index.php, and (4) admin.php; the PATH_INFO to the default URI to (5) category.php, (6) department.php, (7) profile.php, (8) rejects.php, (9) search.php, (10) toBePublished.php, (11) user.php, and (12) view_file.php; and (13) the caller parameter in a Modify User action to user.php.
Exploits (12)
The provided text describes an SQL injection and XSS vulnerability in OpenDocMan 1.2.5, including a sample XSS payload. It lacks executable exploit code but details the vulnerability and potential impact.
The exploit demonstrates XSS vulnerabilities in OpenDocMan by injecting JavaScript via unsanitized user input in the URL. It also references an SQL injection vulnerability, though no direct SQLi payload is provided.
The provided text describes an SQL injection and XSS vulnerability in OpenDocMan 1.2.5, with example URLs demonstrating the XSS exploit. No actual exploit code is present.
The provided text describes an SQL injection and XSS vulnerability in OpenDocMan 1.2.5, with an example XSS payload. It lacks executable exploit code but outlines the vulnerability and potential impact.
The provided text describes an SQL injection and XSS vulnerability in OpenDocMan 1.2.5, with an example XSS payload. It lacks executable exploit code but outlines the vulnerability and potential impact.
The provided text describes an SQL injection and XSS vulnerability in OpenDocMan 1.2.5, with an example XSS payload. No functional exploit code is included.
The provided text describes an SQL injection and XSS vulnerability in OpenDocMan 1.2.5, with an example XSS payload. It lacks executable exploit code but provides technical details and a proof-of-concept URL for XSS.
The exploit demonstrates an XSS vulnerability in OpenDocMan by injecting a script tag into the URL. It also includes a base64-encoded payload suggesting potential SQL injection, though the primary focus is on XSS.
This exploit demonstrates an XSS vulnerability in OpenDocMan 1.2.5 by injecting a script tag into the URL, which executes arbitrary JavaScript in the context of the user's session. The vulnerability arises from insufficient sanitization of user-supplied input in the category.php file.
The provided text describes an SQL injection and XSS vulnerability in OpenDocMan 1.2.5, with an example XSS payload. No functional exploit code is included.
The provided text describes an SQL injection and XSS vulnerability in OpenDocMan 1.2.5, with an example XSS payload. It lacks executable exploit code but provides technical details and an attack vector.
The document describes an authentication bypass and multiple XSS vulnerabilities in OpenDocMan v1.2.5. It includes proof-of-concept examples for SQL injection-based authentication bypass and various XSS payloads.