CVE-2009-3949

VivaPrograms Infinity <2.0.5 - RCE

Title source: llm

Description

cp/profile.php in VivaPrograms Infinity 2.0.5 and earlier does not require administrative authentication for the donewauthor action, which allows remote attackers to create administrative accounts via the name, password, and conf_password parameters.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Qabandi · phpwebappsphp

https://www.exploit-db.com/exploits/9159

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] http://www.exploit-db.com/exploits/9159

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/51779

Scores

EPSS 0.0239

EPSS Percentile 85.1%

Details

CWE

CWE-264

Status published

Products (2)

vivaprograms/infinity_script 2.0.0

vivaprograms/infinity_script < 2.0.5

Published Nov 16, 2009

Tracked Since Feb 18, 2026