Exploitation Summary
EIP tracks 3 public exploits for CVE-2012-3872. PoCs published by Lorenzo Cantoni.
AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in Open Constructor 3.12.0 by injecting a JavaScript alert payload into the 'q' parameter of the confirm.php endpoint. The lack of input sanitization allows arbitrary script execution in the context of the user's browser session.
Description
Multiple cross-site scripting (XSS) vulnerabilities in Open Constructor 3.12.0 allow remote attackers to inject arbitrary web script or HTML via (1) the result parameter to data/file/edit.php, (2) the q parameter to confirm.php, or (3) the keyword parameter to users/users.php.
Exploits (3)
This exploit demonstrates a reflected XSS vulnerability in Open Constructor 3.12.0 by injecting a JavaScript alert payload into the 'q' parameter of the confirm.php endpoint. The lack of input sanitization allows arbitrary script execution in the context of the user's browser session.
This exploit demonstrates a reflected XSS vulnerability in Open Constructor 3.12.0 due to improper input sanitization. The PoC shows how arbitrary script code can be executed via the 'keyword' parameter in the users.php endpoint.
This exploit demonstrates a reflected XSS vulnerability in Open Constructor 3.12.0 by injecting arbitrary JavaScript code via the 'result' parameter in the edit.php file. The vulnerability arises due to insufficient input sanitization, allowing script execution in the context of the user's browser.