CVE-2007-2233

Cosign <= 2.0.2 - Authenticated Privilege Escalation via Service Parameter CR Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-2233. PoCs published by Jon Oberheide.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass in the 'cosign' application by injecting malicious input into the POST request, allowing an attacker to assume another user's credentials. The vulnerability arises from inadequate input sanitization in versions prior to 1.9.4b and 2.0.2a.

Description

cosign-bin/cosign.cgi in Cosign 2.0.2 and earlier allows remote authenticated users to perform unauthorized actions as an arbitrary user by using CR (\r) sequences in the service parameter to inject LOGIN and REGISTER commands with the desired username.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Jon Oberheide · textwebappscgi
https://www.exploit-db.com/exploits/29844

This exploit demonstrates an authentication bypass in the 'cosign' application by injecting malicious input into the POST request, allowing an attacker to assume another user's credentials. The vulnerability arises from inadequate input sanitization in versions prior to 1.9.4b and 2.0.2a.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: cosign < 1.9.4b and < 2.0.2a
Auth required
Prerequisites: Authenticated access to the cosign application · Network access to the target service
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/465386/100/100/threaded
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24845
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1359

Scores

EPSS 0.0199
EPSS Percentile 78.0%

Details

Status published
Products (13)
cosign/cosign 0.7.0
cosign/cosign 0.8.0
cosign/cosign 0.9.0
cosign/cosign 1.0
cosign/cosign 1.1
cosign/cosign 1.5
cosign/cosign 1.6
cosign/cosign 1.7
cosign/cosign 1.8
cosign/cosign 1.8.5
... and 3 more
Published Apr 25, 2007
Tracked Since Feb 18, 2026