CVE-2009-2733

Achievo < 1.4.0 - Cross-Site Scripting via Scheduler Title and Contract Search Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-2733. PoCs published by Ryan Dewhurst.

AI-analyzed exploit summary This advisory details multiple XSS vulnerabilities in Achievo, including persistent and reflected XSS in various input fields. It provides technical descriptions and proof-of-concept payloads but does not include executable exploit code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler title in the scheduler module, and the (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], and possibly (5) atksearch[contractname] parameters to the Organization Contracts administration page, reachable through dispatch.php.

Exploits (2)

exploitdb WRITEUP VERIFIED
by Ryan Dewhurst · textwebappsphp
https://www.exploit-db.com/exploits/9863

This advisory details multiple XSS vulnerabilities in Achievo, including persistent and reflected XSS in various input fields. It provides technical descriptions and proof-of-concept payloads but does not include executable exploit code.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Achievo <= 1.3.4
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Ryan Dewhurst · textwebappsphp
https://www.exploit-db.com/exploits/33281

This exploit demonstrates multiple XSS vulnerabilities in Achievo by injecting malicious scripts via URL parameters. The PoC includes a sample payload and a crafted URL that triggers the vulnerability.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Achievo prior to 1.4.0
No auth needed
Prerequisites: Access to a vulnerable Achievo instance
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/53745
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/53744
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37035
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1023017
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36661
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507133/100/0/threaded

Scores

EPSS 0.0226
EPSS Percentile 80.7%

Details

CWE
CWE-79
Status published
Products (23)
achievo/achievo 0.7.0
achievo/achievo 0.7.1
achievo/achievo 0.7.2
achievo/achievo 0.7.3
achievo/achievo 0.8.0
achievo/achievo 0.8.0_rc1
achievo/achievo 0.8.0_rc2
achievo/achievo 0.8.1
achievo/achievo 0.9.0
achievo/achievo 0.9.1
... and 13 more
Published Oct 16, 2009
Tracked Since Feb 18, 2026