CVE-2023-4174

LOW NUCLEI

mooSocial mooStore 3.1.6 - Cross-Site Scripting

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-4174. PoCs published by CraCkEr, d0rb. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a writeup describing a reflected XSS vulnerability in Social-Commerce 3.1.6. It details multiple vulnerable endpoints and provides example payloads for exploitation.

Description

A vulnerability has been found in mooSocial mooStore 3.1.6 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. The identifier VDB-236209 was assigned to this vulnerability.

Exploits (2)

exploitdb WRITEUP VERIFIED

by CraCkEr · textwebappsphp

https://www.exploit-db.com/exploits/51671

View Code ZIP pw:eip

This is a writeup describing a reflected XSS vulnerability in Social-Commerce 3.1.6. It details multiple vulnerable endpoints and provides example payloads for exploitation.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Social-Commerce 3.1.6

No auth needed

Prerequisites: Victim interaction required to click on a malicious link

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by d0rb · poc

https://github.com/d0rb/CVE-2023-4174

View Code ZIP pw:eip

This PoC demonstrates a command injection vulnerability in the 'ntpserver' parameter of a CGI endpoint, allowing remote code execution (RCE) post-authentication. The exploit logs in with hardcoded credentials and sends a malicious payload to execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Unknown (likely a network device or appliance with a vulnerable CGI interface)

Auth required

Prerequisites: Valid credentials for the target system · Network access to the target CGI endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

mooSocial 3.1.6 - Reflected Cross Site Scripting

MEDIUMVERIFIEDby momika233

Shodan: http.favicon.hash:"702863115"

FOFA: icon_hash="702863115" || moosocial

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.236209

Permissions Required, Third Party Advisory, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.236209

Exploit, Third Party Advisory related

http://packetstormsecurity.com/files/174017/Social-Commerce-3.1.6-Cross-Site-Scripting.html

Scores

CVSS v3 3.5

EPSS 0.5779

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

moosocial/moostore 3.1.6

Published Aug 06, 2023

Tracked Since Feb 18, 2026