CVE-2009-2328

KerviNet Forum < 1.1 - Unauthenticated SQL Injection and Arbitrary Account Deletion via del_user_id Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2328. PoCs published by eLwaux.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in KerviNet, including blind SQL injection, SQL injection, XSS (stored and reflected), path disclosure, and unauthorized user deletion. It provides specific payloads and attack vectors for each vulnerability.

Description

admin/edit_user.php in KerviNet Forum 1.1 and earlier does not require administrative authentication, which allows remote attackers to delete arbitrary accounts and conduct SQL injection attacks via the del_user_id parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by eLwaux · textwebappsphp

https://www.exploit-db.com/exploits/9068

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in KerviNet, including blind SQL injection, SQL injection, XSS (stored and reflected), path disclosure, and unauthorized user deletion. It provides specific payloads and attack vectors for each vulnerability.

Classification

Working Poc 95%

Attack Type

Sqli | Xss | Info Leak | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: KerviNet (version not specified)

No auth needed

Prerequisites: Access to the target web application

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/9068

Scores

EPSS 0.0103

EPSS Percentile 59.2%

Details

CWE

CWE-287

Status published

Products (1)

max_kervin/kervinet_forum < 1.1

Published Jul 05, 2009

Tracked Since Feb 18, 2026