CVE-2013-4946

BMC Service Desk Express 10.2.1.95 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-4946. PoCs published by Nuri Fattah.

AI-analyzed exploit summary This is a vulnerability writeup detailing multiple SQL injection and XSS vulnerabilities in BMC Service Desk Express (SDE) Version 10.2.1.95. It includes affected endpoints, vulnerable parameters, and example payloads for XSS but does not contain functional exploit code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in BMC Service Desk Express (SDE) 10.2.1.95 allow remote attackers to inject arbitrary web script or HTML via the (1) SelTab parameter to QV_admin.aspx, the (2) CallBack parameter to QV_grid.aspx, or the (3) HelpPage parameter to commonhelp.aspx.

Exploits (1)

exploitdb WRITEUP
by Nuri Fattah · textwebappsasp
https://www.exploit-db.com/exploits/26806

This is a vulnerability writeup detailing multiple SQL injection and XSS vulnerabilities in BMC Service Desk Express (SDE) Version 10.2.1.95. It includes affected endpoints, vulnerable parameters, and example payloads for XSS but does not contain functional exploit code.

Classification
Writeup 90%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Theoretical
Target: BMC Service Desk Express (SDE) Version 10.2.1.95
No auth needed
Prerequisites: Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/26806
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2013-07/0082.html
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/61147

Scores

EPSS 0.0161
EPSS Percentile 72.9%

Details

CWE
CWE-79
Status published
Products (1)
bmc/service_desk_express 10.2.1.95
Published Jul 29, 2013
Tracked Since Feb 18, 2026