CVE-2009-4089

telepark.wiki <2.4.23 - Auth Bypass

Title source: llm

Description

telepark.wiki 2.4.23 and earlier allows remote attackers to bypass authorization and (1) delete arbitrary pages via a modified pageID parameter to ajax/deletePage.php or (2) delete arbitrary comments via a modified pageID parameter to ajax/deleteComment.php.

Exploits (2)

exploitdb WRITEUP VERIFIED

by Abysssec · textwebappsphp

https://www.exploit-db.com/exploits/10101

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by corelanc0d3r · perllocalwindows

https://www.exploit-db.com/exploits/9483

View Code ZIP pw:eip

References (7)

[Various Sources] http://blog.telepark.com/telepark-web-software/2009/11/09/telepark-wiki-security-fixes/

[Exploit] http://packetstormsecurity.org/0911-exploits/Telepark-fixes-nov09-2.txt

[Vendor Advisory] http://secunia.com/advisories/37391

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/54329

[Exploit, Third Party Advisory] http://www.exploit-db.com/exploits/9483

[Third Party Advisory, VDB Entry] http://www.osvdb.org/60214

[Third Party Advisory, VDB Entry] http://www.osvdb.org/60215

Scores

EPSS 0.1077

EPSS Percentile 93.2%

Classification

CWE

CWE-287

Status draft

Affected Products (1)

telepark/telepark.wiki

Timeline

Published Nov 29, 2009

Tracked Since Feb 18, 2026