CVE-2015-6809

BEdita < 3.6.0 - Stored Cross-Site Scripting via Admin Config and Area Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-6809. PoCs published by Sébastien Morin.

AI-analyzed exploit summary The document describes persistent XSS vulnerabilities in Bedita 3.5.1, affecting parameters like 'cfg[projectName]', 'data[stats_provider_url]', and 'data[description]'. It includes HTTP request examples demonstrating how arbitrary JavaScript can be injected and executed in a user's browser.

Description

Multiple cross-site scripting (XSS) vulnerabilities in BEdita before 3.6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) cfg[projectName] parameter to index.php/admin/saveConfig, the (2) data[stats_provider_url] parameter to index.php/areas/saveArea, or the (3) data[description] parameter to index.php/areas/saveSection.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Sébastien Morin · textwebappsphp
https://www.exploit-db.com/exploits/38051

The document describes persistent XSS vulnerabilities in Bedita 3.5.1, affecting parameters like 'cfg[projectName]', 'data[stats_provider_url]', and 'data[description]'. It includes HTTP request examples demonstrating how arbitrary JavaScript can be injected and executed in a user's browser.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Bedita 3.5.1
Auth required
Prerequisites: Access to authenticated session · Ability to send crafted POST requests
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38051/

Scores

EPSS 0.0364
EPSS Percentile 88.1%

Details

CWE
CWE-79
Status published
Products (1)
bedita/bedita < 3.5.1
Published Sep 04, 2015
Tracked Since Feb 18, 2026