CVE-2011-1062

Exploitation Summary

EIP tracks 4 public exploits for CVE-2011-1062. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in TaskFreak! 0.6.4 by injecting malicious input into the Referer header of an HTTP request to rss.php. The lack of input sanitization allows arbitrary script execution in the context of the affected site.

Description

Multiple cross-site scripting (XSS) vulnerabilities in include/html/header.php in TaskFreak! 0.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) sContext, (2) sort, (3) dir, and (4) show parameters in a save action to index.php; the (5) dir and (6) show parameters to print_list.php; and the (7) HTTP referer header to rss.php. NOTE: some of these details are obtained from third party information.

Exploits (4)

exploitdb WORKING POC VERIFIED

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/35338

View Code ZIP pw:eip

This exploit demonstrates a cross-site scripting (XSS) vulnerability in TaskFreak! 0.6.4 by injecting malicious input into the Referer header of an HTTP request to rss.php. The lack of input sanitization allows arbitrary script execution in the context of the affected site.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: TaskFreak! 0.6.4

No auth needed

Prerequisites: Access to the target application's RSS endpoint

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/35337

View Code ZIP pw:eip

The exploit demonstrates a cross-site scripting (XSS) vulnerability in TaskFreak! 0.6.4 by injecting malicious script tags into the 'dir' and 'show' parameters of the 'print_list.php' endpoint. The lack of input sanitization allows arbitrary JavaScript execution in the context of the affected site.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: TaskFreak! 0.6.4

No auth needed

Prerequisites: Access to the vulnerable TaskFreak! instance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/35336

View Code ZIP pw:eip

This is a functional XSS exploit for TaskFreak! 0.6.4, demonstrating multiple injection points via crafted form inputs. The PoC uses hidden form fields with malicious JavaScript payloads to trigger XSS when submitted.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: TaskFreak! 0.6.4

No auth needed

Prerequisites: Victim interaction (clicking the exploit link)

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/16158

View Code ZIP pw:eip

The exploit demonstrates multiple XSS vulnerabilities in TaskFreak! v0.6.4 by injecting malicious scripts into POST parameters (sContext, sort, dir, show) and GET parameters (dir, show) via index.php and print_list.php, as well as the Referer header via rss.php. The PoC includes a form with hidden inputs and a trigger link to execute the XSS payloads.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: TaskFreak! v0.6.4

No auth needed

Prerequisites: Access to the vulnerable TaskFreak! web application

MITRE ATT&CK