CVE-2004-2245
Description
Goollery 0.03 is vulnerable to cross-site scripting via the 'page' and 'btopage' parameters, allowing remote attackers to inject arbitrary HTML or script.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Goollery 0.03 is vulnerable to cross-site scripting via the 'page' and 'btopage' parameters, allowing remote attackers to inject arbitrary HTML or script.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in Goollery version 0.03 due to the application's failure to properly sanitize user-supplied URI input. Remote attackers can inject arbitrary HTML or web script via the page parameter in viewalbum.php or the btopage parameter in viewpic.php [1].
Exploitation
An attacker can craft a malicious URI link containing hostile HTML and script code. If a victim user clicks on this link, the malicious code may be rendered in their web browser [1].
Impact
Successful exploitation allows a remote attacker to inject arbitrary HTML or web script into a victim's browser, potentially leading to session hijacking or other client-side attacks.
Mitigation
No specific patch information or fixed version is available in the provided references. Users are advised to disable or restrict access to Goollery if possible until a patch is released.
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to properly sanitize user-supplied URI input, allowing for the injection of arbitrary HTML or web script."
Attack vector
A remote attacker can craft a malicious URI link that includes hostile HTML and script code. This link can be sent to a victim user, and if followed, the malicious code may be rendered in the victim's web browser. The vulnerability exists in the 'page' parameter of viewalbum.php and the 'btopage' parameter of viewpic.php [ref_id=1].
Affected code
The vulnerability is present in the 'page' parameter of viewalbum.php and the 'btopage' parameter of viewpic.php in Goollery version 0.03 [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how to remediate this vulnerability. It is recommended to consult the vendor for updated information or apply security best practices for handling user input.
Preconditions
- inputThe attacker must be able to control the value of the 'page' parameter in viewalbum.php or the 'btopage' parameter in viewpic.php.
- networkThe attacker must be able to send a crafted URI to a victim.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- securitytracker.com/idnvdExploit
- www.osvdb.org/11319nvdExploitPatch
- www.osvdb.org/11320nvdExploitPatch
- www.osvdb.org/ref/11/11xxx-goollery_multiple.txtnvdExploit
- www.securityfocus.com/bid/11587nvdExploit
- www.osvdb.org/11318nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/17957nvd
News mentions
0No linked articles in our index yet.