CVE-2008-2995

PHPEasyData 1.5.4 - SQL Injection via Annuaire Parameter or Admin Login Username

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-2995. PoCs published by Sylvain THUAL.

AI-analyzed exploit summary This exploit demonstrates SQL injection and XSS vulnerabilities in PHPEasyData 1.5.4 by injecting a UNION-based SQL query to extract user credentials from the database. The attack leverages unsanitized input in the 'annuaire' parameter.

Description

Multiple SQL injection vulnerabilities in PHPEasyData 1.5.4 allow remote attackers to execute arbitrary SQL commands via (1) the annuaire parameter to annuaire.php or (2) the username field in admin/login.php.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Sylvain THUAL · textwebappsphp

https://www.exploit-db.com/exploits/31904

View Code ZIP pw:eip

This exploit demonstrates SQL injection and XSS vulnerabilities in PHPEasyData 1.5.4 by injecting a UNION-based SQL query to extract user credentials from the database. The attack leverages unsanitized input in the 'annuaire' parameter.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: PHPEasyData 1.5.4

No auth needed

Prerequisites: Access to the vulnerable PHPEasyData application

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by Sylvain THUAL · textwebappsphp

https://www.exploit-db.com/exploits/31905

View Code ZIP pw:eip

The provided text describes SQL injection and XSS vulnerabilities in PHPEasyData 1.5.4, specifically detailing an authentication bypass via SQL injection in admin/login.php. It lacks executable exploit code but provides technical details for manual exploitation.

Classification

Writeup 90%

Attack Type

Sqli | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: PHPEasyData 1.5.4

No auth needed

Prerequisites: Access to the admin/login.php endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/493273/100/0/threaded

Third Party Advisory third-party-advisory x_refsource_sreason

http://securityreason.com/securityalert/3969

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/29659

Scores

EPSS 0.0097

EPSS Percentile 57.6%

Details

CWE

CWE-89

Status published

Products (1)

phpeasydata/phpeasydata 1.5.4

Published Jul 03, 2008

Tracked Since Feb 18, 2026