CVE-2010-3266

BugTracker.NET < 3.4.5 - Authenticated Cross-Site Scripting via Multiple Parameters

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2010-3266. PoCs published by Core Security, BugTracker.NET.

AI-analyzed exploit summary This advisory details multiple XSS and SQL injection vulnerabilities in BugTracker.Net, including proof-of-concept examples for exploitation. It provides technical descriptions of the flaws in specific files and lines of code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in BugTracker.NET before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via (1) the pcd parameter to edit_bug.aspx, (2) the bug_id parameter to edit_comment.aspx, (3) the id parameter to edit_user_permissions2.aspx, or (4) the default_name parameter to edit_customfield.aspx. NOTE: some of these details are obtained from third party information.

Exploits (2)

exploitdb WRITEUP VERIFIED

by Core Security · textwebappsasp

https://www.exploit-db.com/exploits/15653

View Code ZIP pw:eip

This advisory details multiple XSS and SQL injection vulnerabilities in BugTracker.Net, including proof-of-concept examples for exploitation. It provides technical descriptions of the flaws in specific files and lines of code.

Classification

Writeup 100%

Attack Type

Xss | Sqli

Complexity

Moderate

Reliability

Reliable

Target: BugTracker.Net v3.4.4 and older

Auth required

Prerequisites: Access to BugTracker.Net instance · Valid credentials for authenticated vulnerabilities

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by BugTracker.NET · textwebappsasp

https://www.exploit-db.com/exploits/35031

View Code ZIP pw:eip

The provided text describes an SQL injection and XSS vulnerability in BugTracker.NET v3.4.4, with an example XSS payload. It lacks executable exploit code but details the vulnerability and potential impact.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Theoretical

Target: BugTracker.NET v3.4.4

No auth needed

Prerequisites: Access to the target application URL

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Product x_refsource_confirm

http://btnet.svn.sourceforge.net/viewvc/btnet/RELEASE_NOTES.TXT?revision=578&view=markup

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/15653

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/514957/100/0/threaded

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/45121

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/42418

Exploit x_refsource_misc

http://www.coresecurity.com/content/multiple-vulnerabilities-in-bugtracker

Scores

EPSS 0.0280

EPSS Percentile 84.6%

Details

CWE

CWE-79

Status published

Products (50)

ifdefined/bugtracker.net 0.91

ifdefined/bugtracker.net 2.4.1

ifdefined/bugtracker.net 2.4.2

ifdefined/bugtracker.net 2.4.3

ifdefined/bugtracker.net 2.4.4

ifdefined/bugtracker.net 2.4.5

ifdefined/bugtracker.net 2.4.6

ifdefined/bugtracker.net 2.4.7

ifdefined/bugtracker.net 2.4.8

ifdefined/bugtracker.net 2.5.0

... and 40 more

Published Dec 02, 2010

Tracked Since Feb 18, 2026