CVE-2012-3831

milesj/decoda < 3.3 - Cross-Site Scripting via img Tag URL

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-3831. PoCs published by RedTeam Pentesting.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in php-decoda versions 3.x, where user input in the video tag is not properly sanitized, allowing the injection of JavaScript event handlers.

Description

Cross-site scripting (XSS) vulnerability in decoda/templates/video.php in Decoda before 3.3.1 allows remote attackers to inject arbitrary web script or HTML via multiple URLs in an img tag.

Exploits (1)

exploitdb WORKING POC
by RedTeam Pentesting · textwebappsphp
https://www.exploit-db.com/exploits/18822

This exploit demonstrates a cross-site scripting (XSS) vulnerability in php-decoda versions 3.x, where user input in the video tag is not properly sanitized, allowing the injection of JavaScript event handlers.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: php-decoda 3.x
No auth needed
Prerequisites: A web application using php-decoda with the video filter enabled
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/81637

Scores

EPSS 0.0247
EPSS Percentile 82.5%

Details

CWE
CWE-79
Status published
Products (12)
milesj/decoda 2.2
milesj/decoda 2.3
milesj/decoda 2.4
milesj/decoda 2.5
milesj/decoda 2.6
milesj/decoda 2.7
milesj/decoda 2.8
milesj/decoda 2.9
milesj/decoda 3.0
milesj/decoda 3.1
... and 2 more
Published Jul 03, 2012
Tracked Since Feb 18, 2026