CVE-2012-1911

PHP Address Book < 6.2.11 - SQL Injection via to_group or id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-1911. PoCs published by Stefan Schurtz.

AI-analyzed exploit summary The exploit demonstrates multiple SQL injection and XSS vulnerabilities in PHP Address Book 6.2.12. It provides direct URLs with payloads for blind SQL injection and XSS attacks, confirming the vulnerabilities are exploitable.

Description

Multiple SQL injection vulnerabilities in PHP Address Book 6.2.12 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) to_group parameter to group.php or (2) id parameter to vcard.php. NOTE: the edit.php vector is already covered by CVE-2008-2565.

Exploits (1)

exploitdb WORKING POC
by Stefan Schurtz · textwebappsphp
https://www.exploit-db.com/exploits/18578

The exploit demonstrates multiple SQL injection and XSS vulnerabilities in PHP Address Book 6.2.12. It provides direct URLs with payloads for blind SQL injection and XSS attacks, confirming the vulnerabilities are exploitable.

Classification
Working Poc 90%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Reliable
Target: PHP Address Book 6.2.12
No auth needed
Prerequisites: Access to the target web application
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6

Scores

EPSS 0.0123
EPSS Percentile 65.0%

Details

CWE
CWE-89
Status published
Products (50)
chatelao/php_address_book 1.0
chatelao/php_address_book 1.2
chatelao/php_address_book 2.0
chatelao/php_address_book 2.1
chatelao/php_address_book 2.1.1
chatelao/php_address_book 2.2
chatelao/php_address_book 2.3
chatelao/php_address_book 2.4
chatelao/php_address_book 2.6
chatelao/php_address_book 3.0
... and 40 more
Published Sep 09, 2012
Tracked Since Feb 18, 2026