CVE-2009-2332

CMS Chainuk < 1.2 - Exposure of Sensitive Information via Crafted id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2332. PoCs published by eLwaux.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in CMS Chainuk <= v1.2, including Local File Inclusion (LFI), arbitrary file deletion, XSS, and remote code execution (RCE) via file inclusion and PHP code injection. The PoC provides specific exploit paths and payloads for each vulnerability.

Description

CMS Chainuk 1.2 and earlier allows remote attackers to obtain sensitive information via (1) a crafted id parameter to index.php or (2) a nonexistent folder name in the id parameter to admin/admin_delete.php, which reveals the installation path in an error message.

Exploits (1)

exploitdb WORKING POC VERIFIED
by eLwaux · textwebappsphp
https://www.exploit-db.com/exploits/9069

The exploit demonstrates multiple vulnerabilities in CMS Chainuk <= v1.2, including Local File Inclusion (LFI), arbitrary file deletion, XSS, and remote code execution (RCE) via file inclusion and PHP code injection. The PoC provides specific exploit paths and payloads for each vulnerability.

Classification
Working Poc 95%
Attack Type
Rce | Lfi | Xss | Info Leak
Complexity
Trivial
Reliability
Reliable
Target: CMS Chainuk <= v1.2
No auth needed
Prerequisites: Access to the target web application · PHP execution environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit vdb-entry x_refsource_osvdb
http://osvdb.org/55671
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/9069
Exploit vdb-entry x_refsource_osvdb
http://osvdb.org/55670

Scores

EPSS 0.0243
EPSS Percentile 82.1%

Details

CWE
CWE-200
Status published
Products (1)
cms.tut.su/cms_chainuk < 1.2
Published Jul 05, 2009
Tracked Since Feb 18, 2026