CVE-2014-9004
vldPersonals < 2.7 - Cross-Site Scripting via Member Profile ID Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2014-9004. PoCs published by Mr T.
AI-analyzed exploit summary The exploit demonstrates XSS and SQL injection vulnerabilities in VLD Personal 2.7. The XSS payload is injected via the 'id' parameter, while SQLi is executed through the 'country' parameter using a time-based benchmark payload.
Description
Cross-site scripting (XSS) vulnerability in vldPersonals before 2.7.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter in a member_profile action to index.php.
Exploits (1)
The exploit demonstrates XSS and SQL injection vulnerabilities in VLD Personal 2.7. The XSS payload is injected via the 'id' parameter, while SQLi is executed through the 'country' parameter using a time-based benchmark payload.