CVE-2014-10035

couponphp < 1.1.0 - Authenticated Cross-Site Scripting via Admin Area Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-10035. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates multiple stored XSS and SQL injection vulnerabilities in couponPHP CMS 1.0. It provides detailed examples of malicious payloads for parameters like 'iDisplayLength', 'iDisplayStart', and 'sEcho' in various scripts, along with proof of execution via error messages and HTTP request/response samples.

Description

Multiple cross-site scripting (XSS) vulnerabilities in the admin area in couponPHP before 1.2.0 allow remote administrators to inject arbitrary web script or HTML via the (1) sEcho parameter to comments_paginate.php or (2) stores_paginate.php or the (3) affiliate_url, (4) description, (5) domain, (6) seo[description], (7) seo[heading], (8) seo[title], (9) seo[keywords], (10) setting[logo], (11) setting[perpage], or (12) setting[sitename] to admin/index.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/32037

View Code ZIP pw:eip

This exploit demonstrates multiple stored XSS and SQL injection vulnerabilities in couponPHP CMS 1.0. It provides detailed examples of malicious payloads for parameters like 'iDisplayLength', 'iDisplayStart', and 'sEcho' in various scripts, along with proof of execution via error messages and HTTP request/response samples.

Classification

Working Poc 95%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: couponPHP CMS 1.0

Auth required

Prerequisites: Access to admin interface · Valid session cookies

MITRE ATT&CK