CVE-2010-1872

FlashCard 2.6.5 and 3.0.1 - Cross-Site Scripting via id Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2010-1872. PoCs published by Valentin, LipeOzyy.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in FlashCard 2.6.5 by injecting an iframe via the 'id' parameter in cPlayer.php. The lack of input sanitization allows arbitrary script execution in the context of the affected site.

Description

Cross-site scripting (XSS) vulnerability in cPlayer.php in FlashCard 2.6.5 and 3.0.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: some of these details are obtained from third party information.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Valentin · textwebappsphp

https://www.exploit-db.com/exploits/33870

View Code ZIP pw:eip

This exploit demonstrates a cross-site scripting (XSS) vulnerability in FlashCard 2.6.5 by injecting an iframe via the 'id' parameter in cPlayer.php. The lack of input sanitization allows arbitrary script execution in the context of the affected site.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: FlashCard 2.6.5

No auth needed

Prerequisites: Access to the vulnerable FlashCard installation

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by LipeOzyy · poc

https://github.com/LipeOzyy/CVE-2010-1872-BlazeDVD-SEH-Exploit

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2010-1872, targeting a SEH-based buffer overflow in BlazeDVD 5.0 via a crafted .plf file. The exploit generates a malicious playlist file that triggers a reverse shell upon execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: BlazeDVD 5.0

No auth needed

Prerequisites: Victim must open the malicious .plf file with BlazeDVD 5.0 · DEP and ASLR must be disabled on the target system

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/39648

Exploit x_refsource_misc

http://www.xenuser.org/documents/security/flashcard_xss.txt

Exploit x_refsource_misc

http://packetstormsecurity.org/1004-exploits/flashcard-xss.txt

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/39484

Scores

EPSS 0.0145

EPSS Percentile 70.0%

Details

CWE

CWE-79

Status published

Products (2)

tufat/flashcard 2.6.5

tufat/flashcard 3.0.1

Published May 12, 2010

Tracked Since Feb 18, 2026