Description
Multiple cross-site scripting (XSS) vulnerabilities in Chyrp before 2.1.2 and before 2.5 Beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) content parameter to includes/ajax.php or (2) body parameter to includes/error.php.
Exploits (2)
exploitdb
WORKING POC
VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/36875
exploitdb
WORKING POC
VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/36874
References (6)
Core 6
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.htbridge.ch/advisory/HTB23073
Broken Link x_refsource_misc
http://archives.neohapsis.com/archives/bugtraq/2012-02/0121.html
Broken Link x_refsource_misc
http://chyrp.net/2012/02/02/heres-whats-been-going-on-recently/
Patch, Third Party Advisory x_refsource_misc
https://github.com/vito/chyrp/commit/f69bd791c37e0b154c0bda16f9759ba19cc77f6c
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securityfocus.com/bid/52115
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securityfocus.com/bid/52117
Scores
CVSS v3
6.1
EPSS
0.1924
EPSS Percentile
95.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
chyrp/chyrp
2.5.2 b1
chyrp/chyrp
< 2.1.2
Published
Nov 21, 2019
Tracked Since
Feb 18, 2026