CVE-2009-3787

Vivvo CMS 4.1.5.1 - Path Traversal via File Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3787. PoCs published by Janek Vind.

AI-analyzed exploit summary This exploit demonstrates a remote file disclosure vulnerability in Vivvo CMS 4.1.5.1 due to improper filtering of user-submitted data in the 'files.php' script. The attack bypasses directory traversal protections by using '.logs/./' to access sensitive files like configuration and database backups.

Description

files.php in Vivvo CMS 4.1.5.1 allows remote attackers to conduct directory traversal attacks and read arbitrary files via the file parameter with "logs/" in between two . (dot) characters, which is filtered into a "../" sequence.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Janek Vind · textwebappsphp
https://www.exploit-db.com/exploits/9979

This exploit demonstrates a remote file disclosure vulnerability in Vivvo CMS 4.1.5.1 due to improper filtering of user-submitted data in the 'files.php' script. The attack bypasses directory traversal protections by using '.logs/./' to access sensitive files like configuration and database backups.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Vivvo CMS 4.1.5.1
No auth needed
Prerequisites: Access to the target Vivvo CMS instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507358/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37117
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36783
Exploit x_refsource_misc
http://www.waraxe.us/advisory-75.html

Scores

EPSS 0.0658
EPSS Percentile 93.0%

Details

CWE
CWE-22
Status published
Products (1)
vivvo/vivvo 4.1.5.1
Published Oct 26, 2009
Tracked Since Feb 18, 2026