CVE-2009-2127

elvinbts 1.2.0 - Cross-Site Scripting via show_activity.php id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2127. PoCs published by SirGod.

AI-analyzed exploit summary This is a detailed technical writeup describing multiple vulnerabilities in Elvin BTS 1.2.0, including SQL injection, local file inclusion, authentication bypass, XSS, CSRF, and source code disclosure. It provides specific code snippets, vulnerable functions, and proof-of-concept examples for each vulnerability.

Description

Cross-site scripting (XSS) vulnerability in show_activity.php in Elvin 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.

Exploits (1)

exploitdb WRITEUP VERIFIED
by SirGod · textwebappsphp
https://www.exploit-db.com/exploits/8953

This is a detailed technical writeup describing multiple vulnerabilities in Elvin BTS 1.2.0, including SQL injection, local file inclusion, authentication bypass, XSS, CSRF, and source code disclosure. It provides specific code snippets, vulnerable functions, and proof-of-concept examples for each vulnerability.

Classification
Writeup 95%
Attack Type
Sqli | Auth Bypass | Xss | Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Elvin BTS 1.2.0
No auth needed
Prerequisites: Network access to the target application
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35486
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/8953

Scores

EPSS 0.0122
EPSS Percentile 64.5%

Details

CWE
CWE-79
Status published
Products (1)
elvinbts/elvinbts 1.2.0
Published Jun 19, 2009
Tracked Since Feb 18, 2026