CVE-2013-4103
CRITICALCryptocat < 2.0.22 - Remote Script Injection via Improper Input Sanitization
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2013-4103. PoCs published by Mario Heiderich.
AI-analyzed exploit summary This exploit demonstrates an arbitrary script-injection vulnerability in Cryptocat due to improper input sanitization. The provided base64-encoded payload injects an iframe, allowing arbitrary script execution in the context of the application.
Description
Cryptocat before 2.0.22 has Remote Script Injection due to improperly sanitizing user input
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Mario Heiderich · textremotemultiple
https://www.exploit-db.com/exploits/38637
This exploit demonstrates an arbitrary script-injection vulnerability in Cryptocat due to improper input sanitization. The provided base64-encoded payload injects an iframe, allowing arbitrary script execution in the context of the application.
Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
Cryptocat versions prior to 2.0.22
No auth needed
Prerequisites:
User interaction to visit a malicious URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/134252/Cryptocat-Script-Insertion.html
Mailing List, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2013/07/10/15
Product x_refsource_misc
https://tobtu.com/decryptocat.php
Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/cve/CVE-2013-4103
Third Party Advisory, VDB Entry x_refsource_misc
https://www.securityfocus.com/bid/61093
Scores
CVSS v3
9.8
EPSS
0.0714
EPSS Percentile
91.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (1)
cryptocat_project/cryptocat
< 2.0.22
Published
Nov 04, 2019
Tracked Since
Feb 18, 2026