CVE-2004-2198

DUware DUclassmate 1.0-1.1 - Unauthenticated Arbitrary Password Change via MM_recordId Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-2198. PoCs published by Soroosh Dalili.

AI-analyzed exploit summary The provided text describes multiple vulnerabilities in DUclassmate, DUclassified, and DUforum, including SQL injection and HTML injection. However, the code snippet is merely an HTML input field and does not constitute a functional exploit.

Description

account.asp in DUware DUclassmate 1.0 through 1.1 allows remote attackers to change the passwords for arbitrary users by modifying the MM_recordId parameter on the "My Account" page.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Soroosh Dalili · textwebappsasp
https://www.exploit-db.com/exploits/24672

The provided text describes multiple vulnerabilities in DUclassmate, DUclassified, and DUforum, including SQL injection and HTML injection. However, the code snippet is merely an HTML input field and does not constitute a functional exploit.

Classification
Writeup 90%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Theoretical
Target: DUclassmate, DUclassified, DUforum
No auth needed
Prerequisites: Access to vulnerable application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/17682
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11363
Exploit, Vendor Advisory vdb-entry x_refsource_sectrack
http://www.securitytracker.com/alerts/2004/Oct/1011597.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/10663

Scores

EPSS 0.0608
EPSS Percentile 92.5%

Details

Status published
Products (2)
duware/duclassmate 1.0
duware/duclassmate 1.1
Published Dec 31, 2004
Tracked Since Feb 18, 2026