CVE-2009-2328

KerviNet Forum <1.1 - RCE

Title source: llm

Description

admin/edit_user.php in KerviNet Forum 1.1 and earlier does not require administrative authentication, which allows remote attackers to delete arbitrary accounts and conduct SQL injection attacks via the del_user_id parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by eLwaux · textwebappsphp

https://www.exploit-db.com/exploits/9068

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] http://www.exploit-db.com/exploits/9068

Scores

EPSS 0.0046

EPSS Percentile 63.7%

Classification

CWE

CWE-287

Status draft

Affected Products (1)

max_kervin/kervinet_forum < 1.1

Timeline

Published Jul 05, 2009

Tracked Since Feb 18, 2026