CVE-2009-2960

CuteFlow 2.10.3 and 2.11.0_c - Unauthenticated User Account Modification via Direct Request

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2960. PoCs published by Hever Costa Rocha.

AI-analyzed exploit summary The exploit describes an authentication bypass vulnerability in CuteFlow, allowing unauthenticated access to the edituser.php script to modify user credentials. The issue stems from improper access control in the application.

Description

CuteFlow 2.10.3 and 2.11.0_c does not properly restrict access to pages/edituser.php, which allows remote attackers to modify usernames and passwords via a direct request.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Hever Costa Rocha · textwebappsphp

https://www.exploit-db.com/exploits/9485

View Code ZIP pw:eip

The exploit describes an authentication bypass vulnerability in CuteFlow, allowing unauthenticated access to the edituser.php script to modify user credentials. The issue stems from improper access control in the application.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: CuteFlow (version not specified)

No auth needed

Prerequisites: Access to the target application's edituser.php endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/506000/100/0/threaded

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/36349

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/36099

Scores

EPSS 0.0348

EPSS Percentile 87.7%

Details

CWE

CWE-264

Status published

Products (2)

cuteflow/cuteflow 2.10.3

cuteflow/cuteflow 2.11.0_c

Published Aug 25, 2009

Tracked Since Feb 18, 2026