CVE-2015-2198

Beehive Forum 1.4.4 - Cross-Site Scripting via Edit Preferences Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-2198. PoCs published by Halil Dalabasmaz.

AI-analyzed exploit summary This advisory describes a stored XSS vulnerability in Beehive Forum v1.4.4, where the 'Homepage URL', 'Picture URL', and 'Avatar URL' fields in the profile section are vulnerable due to insufficient input validation. The PoC demonstrates how an attacker can inject malicious JavaScript code via these fields.

Description

Multiple cross-site scripting (XSS) vulnerabilities in edit_prefs.php in Beehive Forum 1.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) homepage_url, (2) pic_url, or (3) avatar_url parameter, which are not properly handled in an error message.

Exploits (1)

exploitdb WRITEUP

by Halil Dalabasmaz · textwebappsphp

https://www.exploit-db.com/exploits/36154

View Code ZIP pw:eip

This advisory describes a stored XSS vulnerability in Beehive Forum v1.4.4, where the 'Homepage URL', 'Picture URL', and 'Avatar URL' fields in the profile section are vulnerable due to insufficient input validation. The PoC demonstrates how an attacker can inject malicious JavaScript code via these fields.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Beehive Forum v1.4.4

Auth required

Prerequisites: Access to a user account in Beehive Forum · Ability to modify profile fields

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/36154

Product x_refsource_confirm

http://sourceforge.net/p/beehiveforum/news/2015/02/beehive-forum-145-released/

Scores

EPSS 0.0153

EPSS Percentile 71.6%

Details

CWE

CWE-79

Status published

Products (1)

beehive_forum/beehive_forum 1.4.4

Published Mar 03, 2015

Tracked Since Feb 18, 2026