CVE-2009-2130

elvinbts 1.2.0 - Unauthenticated Sensitive Information Exposure via Direct Request

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2130. PoCs published by SirGod.

AI-analyzed exploit summary This is a detailed technical writeup describing multiple vulnerabilities in Elvin BTS 1.2.0, including SQL injection, local file inclusion, authentication bypass, XSS, CSRF, and source code disclosure. It provides specific code snippets, vulnerable functions, and proof-of-concept examples for each vulnerability.

Description

Elvin 1.2.0 allows remote attackers to read the PHP source code of (1) login.ei, (2) jump_bug.ei, or (3) create_account.ei in inc/ via a direct request.

Exploits (1)

exploitdb WRITEUP VERIFIED

by SirGod · textwebappsphp

https://www.exploit-db.com/exploits/8953

View Code ZIP pw:eip

This is a detailed technical writeup describing multiple vulnerabilities in Elvin BTS 1.2.0, including SQL injection, local file inclusion, authentication bypass, XSS, CSRF, and source code disclosure. It provides specific code snippets, vulnerable functions, and proof-of-concept examples for each vulnerability.

Classification

Writeup 95%

Attack Type

Sqli | Auth Bypass | Xss | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Elvin BTS 1.2.0

No auth needed

Prerequisites: Network access to the target application

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/8953

Scores

EPSS 0.0227

EPSS Percentile 80.8%

Details

CWE

CWE-200

Status published

Products (1)

elvinbts/elvinbts 1.2.0

Published Jun 19, 2009

Tracked Since Feb 18, 2026