CVE-2012-3805

Kajona < 3.4.2 - Cross-Site Scripting via Multiple Input Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-3805. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary This exploit demonstrates multiple reflected XSS vulnerabilities in Kajona CMS by injecting malicious JavaScript via URL parameters. The PoC includes various payloads targeting different input fields, confirming the lack of proper input sanitization.

Description

Multiple cross-site scripting (XSS) vulnerabilities in the getAllPassedParams function in system/functions.php in Kajona before 3.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) absender_name, (2) absender_email, or (3) absender_nachricht parameter to the content page; (4) comment_name, (5) comment_subject, or (6) comment_message parameter to the postacomment module; (7) module parameter to index.php; (8) action parameter to the admin login page; (9) pv or (10) pe parameter in a list action to the user module; (11) user_username, (12) user_email, (13) user_forename, (14) user_name, (15) user_street, (16) user_postal, (17) user_city, (18) user_tel, or (19) user_mobil parameter in a newUser action to the user module; (20) group_name or (21) group_desc parameter in a groupNew action to the user module; (22) name, (23) browsername, (24) seostring, (25) keywords, or (26) folder_id parameter in a newPage action to the pages module; (27) element_name or (28) element_cachetime parameter in a newElement action in the pages module; (29) aspect_name parameter in a newAspect action in the system module; (30) filemanager_name, (31) filemanager_path, (32) filemanager_upload_filter, or (33) filemanager_view_filter parameter in a NewRepo action to the filemanager module; or (34) archive_title or (35) archive_path parameter in a newArchive action to the downloads module. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WORKING POC VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/37498

This exploit demonstrates multiple reflected XSS vulnerabilities in Kajona CMS by injecting malicious JavaScript via URL parameters. The PoC includes various payloads targeting different input fields, confirming the lack of proper input sanitization.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Kajona CMS 3.4.1
No auth needed
Prerequisites: Access to the target web application
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/49849
Various Sources x_refsource_confirm
http://www.kajona.de/changelog_34x.de.html
Vendor Advisory x_refsource_misc
https://www.htbridge.com/advisory/HTB23097
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-07/0058.html

Scores

EPSS 0.0165
EPSS Percentile 73.7%

Details

CWE
CWE-79
Status published
Products (8)
kajona/kajona 3.1.0
kajona/kajona 3.1.1
kajona/kajona 3.2.0
kajona/kajona 3.2.1
kajona/kajona 3.3.0
kajona/kajona 3.3.1
kajona/kajona 3.4.0
kajona/kajona < 3.4.1
Published Jul 12, 2012
Tracked Since Feb 18, 2026