CVE-2008-0432 in phpAutoVideoinfo

Summary

by MITRE

Cross-site scripting (XSS) vulnerability in index.php in phpAutoVideo 2.21 and earlier allows remote attackers to inject arbitrary web script or HTML via the cat parameter.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/15/2025

The vulnerability identified as CVE-2008-0432 represents a critical cross-site scripting flaw in the phpAutoVideo content management system version 2.21 and earlier. This vulnerability specifically affects the index.php script and occurs when the application fails to properly sanitize user input passed through the cat parameter. The flaw enables remote attackers to inject malicious web scripts or HTML code into the application's output, creating a persistent security risk that can be exploited across multiple user sessions.

This vulnerability maps directly to CWE-79 which defines Cross-Site Scripting as a weakness where software does not properly neutralize user-controllable input data before it is used in web output. The attack vector exploits the lack of proper input validation and output encoding mechanisms within the phpAutoVideo application. When the cat parameter is processed without adequate sanitization, any malicious script injected by an attacker gets executed in the context of other users' browsers who view the affected page, making this a classic stored or reflected XSS vulnerability depending on how the input is subsequently handled.

The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with the capability to steal session cookies, perform unauthorized actions on behalf of users, redirect victims to malicious websites, or even deface the web application. In a production environment, this could lead to complete compromise of user accounts, data theft, and potential lateral movement within the network if the compromised system has access to sensitive resources. The vulnerability affects all users of phpAutoVideo versions prior to 2.22, making it a widespread concern for organizations that have not updated their systems.

Mitigation strategies for CVE-2008-0432 should prioritize immediate patching of the phpAutoVideo application to version 2.22 or later where the XSS vulnerability has been addressed. Organizations should implement proper input validation and output encoding mechanisms to prevent malicious code from being executed, following the principle of least privilege in web application development. Additionally, implementing a comprehensive web application firewall and regular security audits can help detect and prevent similar vulnerabilities. The ATT&CK framework categorizes this as a web application attack pattern under the T1059.007 technique for command and scripting interpreter, where attackers leverage XSS to execute malicious scripts in victim browsers. Organizations should also consider implementing Content Security Policy headers and regular security training for developers to prevent such vulnerabilities in future software development cycles.

Reservation

01/23/2008

Disclosure

01/23/2008

Moderation

accepted

Entry

VDB-40685

CPE

ready

Exploit

Download

EPSS

0.01734

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!