CVE-2010-3023

DiamondList 0.1.6 - Cross-Site Scripting via Category Description and Site Title Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2010-3023. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in DiamondList 0.1.6 by injecting malicious JavaScript into the 'site_title' parameter. The PoC submits a form with crafted input to trigger the XSS payload, which executes arbitrary JavaScript in the context of the victim's browser.

Description

Multiple cross-site scripting (XSS) vulnerabilities in DiamondList 0.1.6, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) category[description] parameter to user/main/update_category, which is not properly handled by _app/views/categories/index.html.erb; and the (2) setting[site_title] parameter to user/main/update_settings, which is not properly handled by _app/views/settings/_list_settings.rhtml.

Exploits (2)

exploitdb WORKING POC VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/34413

This exploit demonstrates a cross-site scripting (XSS) vulnerability in DiamondList 0.1.6 by injecting malicious JavaScript into the 'site_title' parameter. The PoC submits a form with crafted input to trigger the XSS payload, which executes arbitrary JavaScript in the context of the victim's browser.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: DiamondList 0.1.6
Auth required
Prerequisites: Access to a vulnerable DiamondList instance · Valid session or authentication to submit the form
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/34414

This exploit demonstrates a cross-site scripting (XSS) vulnerability in DiamondList 0.1.6 by injecting malicious JavaScript into the 'category[description]' parameter. The script automatically submits a form to trigger the XSS payload, which executes in the context of the affected browser.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: DiamondList 0.1.6
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Exploit mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/512892
Issue Tracking x_refsource_confirm
http://dev.hulihanapplications.com/issues/show/211
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/40873
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/512897/100/0/threaded
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2025
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/42252

Scores

EPSS 0.0257
EPSS Percentile 83.1%

Details

CWE
CWE-79
Status published
Products (1)
hulihanapplications/diamondlist 0.1.6
Published Aug 16, 2010
Tracked Since Feb 18, 2026