[] NeoSense
E X P L O I T S
title author type platform port cve id

phpVibe < 4.20 - Persistent Cross-Site Scripting

Author: Filippos Mastrogiannis
type: webapps
platform: php
port: 
date_added: 2015-07-24 
date_updated: 2016-09-01 
verified: 0 
codes: CVE-2015-5399;OSVDB-126312 
tags: 
aliases:  
screenshot_url:  
application_url: 
# phpVibe < 4.20 Stored XSS

# Vendor Homepage: http://www.phpvibe.com
# Affected Versions: prior to 4.20

# Discovered by Filippos Mastrogiannis
# Twitter: @filipposmastro
# LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177

-- Description --

This stored XSS vulnerability allows any logged in user
to inject malicious code in the comments section:
e.g. "><body onLoad=confirm("XSS")>

The vulnerability exists because the user input is not properly sanitized
and this can lead to malicious code injection that will be executed on the
target’s browser

-- Proof of Concept --

1. The attacker posts a new comment which contains our payload:
"><body onLoad=confirm("XSS")>

2. The stored XSS can be triggered when any user visits the link of the
uploaded content

-- Solution --

The vendor has fixed the issue in the version 4.21
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.