CVE-2013-1466
glFusion < 1.2.2.pl4 - Cross-Site Scripting via Multiple Parameters
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2013-1466. PoCs published by High-Tech Bridge SA.
AI-analyzed exploit summary The exploit demonstrates multiple reflected XSS vulnerabilities in glFusion 1.2.2 via crafted POST parameters in various scripts. It uses JavaScript to submit forms with malicious payloads, bypassing the 'bad_behaviour' plugin by modifying HTTP Referer headers.
Description
Multiple cross-site scripting (XSS) vulnerabilities in glFusion before 1.2.2.pl4 allow remote attackers to inject arbitrary web script or HTML via the (1) subject parameter to profiles.php; (2) address1, (3) address2, (4) calendar_type, (5) city, (6) state, (7) title, (8) url, or (9) zipcode parameter to calendar/index.php; (10) title or (11) url parameter to links/index.php; or (12) PATH_INFO to admin/plugins/mediagallery/xppubwiz.php/.
Exploits (1)
The exploit demonstrates multiple reflected XSS vulnerabilities in glFusion 1.2.2 via crafted POST parameters in various scripts. It uses JavaScript to submit forms with malicious payloads, bypassing the 'bad_behaviour' plugin by modifying HTTP Referer headers.