CVE-2009-4717

Gonafish WebStatCaffe - Cross-Site Scripting via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2009-4717. PoCs published by Moudi.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in Gonafish WebStatCaffe due to improper input sanitization. The PoC provides a crafted URL that injects arbitrary JavaScript code into the 'visitorduration.php' page.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Gonafish WebStatCaffe allow remote attackers to inject arbitrary web script or HTML via the (1) host parameter to stat/host.php, nodayshow parameter to (2) mostvisitpage.php and (3) visitorduration.php in stat/, (4) nopagesmost parameter to stat/mostvisitpagechart.php, and date parameter to (5) pageviewers.php, (6) pageviewerschart.php, and (7) referer.php in stat/.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Moudi · textwebappsphp
https://www.exploit-db.com/exploits/34675

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Gonafish WebStatCaffe due to improper input sanitization. The PoC provides a crafted URL that injects arbitrary JavaScript code into the 'visitorduration.php' page.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Gonafish WebStatCaffe
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Moudi · textwebappsphp
https://www.exploit-db.com/exploits/34679

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Gonafish WebStatCaffe due to improper input sanitization. The PoC shows how arbitrary script code can be executed in the context of the affected site via a crafted URL.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Gonafish WebStatCaffe
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Moudi · textwebappsphp
https://www.exploit-db.com/exploits/34678

This exploit demonstrates a reflected XSS vulnerability in Gonafish WebStatCaffe due to improper input sanitization. The PoC injects arbitrary JavaScript via the 'date' parameter in pageviewerschart.php.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Gonafish WebStatCaffe
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Moudi · textwebappsphp
https://www.exploit-db.com/exploits/34677

This exploit demonstrates a reflected XSS vulnerability in Gonafish WebStatCaffe due to improper input sanitization. The PoC URL injects arbitrary JavaScript code via the 'date' parameter, which executes in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Gonafish WebStatCaffe
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Moudi · textwebappsphp
https://www.exploit-db.com/exploits/34676

This exploit demonstrates a reflected XSS vulnerability in Gonafish WebStatCaffe by injecting arbitrary JavaScript via the 'date' parameter in pageviewerschart.php. The payload bypasses basic sanitization using HTML encoding and line breaks.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Gonafish WebStatCaffe
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Moudi · textwebappsphp
https://www.exploit-db.com/exploits/34674

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Gonafish WebStatCaffe by injecting arbitrary script code via unsanitized user input in the 'nodayshow' parameter. The PoC uses a crafted URL to trigger an alert dialog, confirming the vulnerability.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Gonafish WebStatCaffe
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36068

Scores

EPSS 0.0129
EPSS Percentile 66.4%

Details

CWE
CWE-79
Status published
Products (1)
gonafish/webstatcaffe
Published Mar 15, 2010
Tracked Since Feb 18, 2026