CVE-2012-2903

PHP Address Book < 6.1.1 - Cross-Site Scripting via PATH_INFO or Language Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-2903. PoCs published by Stefan Schurtz.

AI-analyzed exploit summary The exploit demonstrates multiple SQL injection and XSS vulnerabilities in PHP Address Book 6.2.12. It provides direct URLs with payloads for blind SQL injection and XSS attacks, confirming the vulnerabilities are exploitable.

Description

Multiple cross-site scripting (XSS) vulnerabilities in PHP Address Book 7.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to group.php, or the (2) target_language or (3) target_flag parameter to translate.php.

Exploits (1)

exploitdb WORKING POC
by Stefan Schurtz · textwebappsphp
https://www.exploit-db.com/exploits/18578

The exploit demonstrates multiple SQL injection and XSS vulnerabilities in PHP Address Book 6.2.12. It provides direct URLs with payloads for blind SQL injection and XSS attacks, confirming the vulnerabilities are exploitable.

Classification
Working Poc 90%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Reliable
Target: PHP Address Book 6.2.12
No auth needed
Prerequisites: Access to the target web application
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Scores

EPSS 0.0181
EPSS Percentile 76.0%

Details

CWE
CWE-79
Status published
Products (50)
chatelao/php_address_book 1.0
chatelao/php_address_book 1.2
chatelao/php_address_book 2.0
chatelao/php_address_book 2.1
chatelao/php_address_book 2.1.1
chatelao/php_address_book 2.2
chatelao/php_address_book 2.3
chatelao/php_address_book 2.4
chatelao/php_address_book 2.6
chatelao/php_address_book 3.0
... and 40 more
Published May 21, 2012
Tracked Since Feb 18, 2026