CVE-2012-2938

Travelon Express 6.2.2 - Cross-Site Scripting via Holiday Name Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-2938. PoCs published by Vulnerability-Lab.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in Travelon Express CMS v6.2.2, including SQL injection, persistent XSS, and arbitrary file upload. It provides detailed PoC examples for each vulnerability, including specific endpoints and payloads.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Travelon Express 6.2.2 allow remote attackers to inject arbitrary web script or HTML via the holiday name field to (1) holiday_add.php or (2) holiday_view.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Vulnerability-Lab · textwebappsphp

https://www.exploit-db.com/exploits/18871

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in Travelon Express CMS v6.2.2, including SQL injection, persistent XSS, and arbitrary file upload. It provides detailed PoC examples for each vulnerability, including specific endpoints and payloads.

Classification

Working Poc 95%

Attack Type

Sqli | Xss | Other

Complexity

Trivial

Reliability

Reliable

Target: Travelon Express CMS v6.2.2

Auth required

Prerequisites: Access to vulnerable endpoints · Privileged user account for some exploits

MITRE ATT&CK