CVE-2009-4885

phpCommunity 2 2.1.8 - Cross-Site Scripting via msg Parameter in login.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4885. PoCs published by Salvatore Fresta.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in phpCommunity 2.1.8, including SQL injection (with payloads to extract user credentials), directory traversal (to read arbitrary files), and reflected XSS. The provided URLs are functional examples of exploiting these flaws.

Description

Cross-site scripting (XSS) vulnerability in templates/1/login.php in phpCommunity 2 2.1.8 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Salvatore Fresta · textwebappsphp
https://www.exploit-db.com/exploits/8185

The exploit demonstrates multiple vulnerabilities in phpCommunity 2.1.8, including SQL injection (with payloads to extract user credentials), directory traversal (to read arbitrary files), and reflected XSS. The provided URLs are functional examples of exploiting these flaws.

Classification
Working Poc 95%
Attack Type
Sqli | Info Leak | Xss
Complexity
Trivial
Reliability
Reliable
Target: phpCommunity 2.1.8
No auth needed
Prerequisites: magic_quotes_gpc = off for SQLi
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/49153
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/501588/100/0/threaded
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/8185

Scores

EPSS 0.0110
EPSS Percentile 61.4%

Details

CWE
CWE-79
Status published
Products (1)
bernhard_frohlich/phpcom 2.1.8
Published Jun 11, 2010
Tracked Since Feb 18, 2026