CVE-2009-4360

XOOPS 0.5 - Content Module - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4360. PoCs published by s4r4d0.

AI-analyzed exploit summary This exploit demonstrates an SQL injection vulnerability in the Content module for XOOPS by injecting a UNION-based SQL query to retrieve the database version. It leverages insufficient input sanitization in the 'id' parameter.

Description

SQL injection vulnerability in modules/content/index.php in the Content module 0.5 for XOOPS allows remote attackers to inject arbitrary web script or HTML via the id parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by s4r4d0 · textwebappsphp

https://www.exploit-db.com/exploits/33381

View Code ZIP pw:eip

This exploit demonstrates an SQL injection vulnerability in the Content module for XOOPS by injecting a UNION-based SQL query to retrieve the database version. It leverages insufficient input sanitization in the 'id' parameter.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: XOOPS Content module 0.5

No auth needed

Prerequisites: Access to the vulnerable XOOPS Content module endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit x_refsource_misc

http://securityreason.com/exploitalert/7494

Exploit x_refsource_misc

http://www.packetstormsecurity.org/0911-exploits/xoopscontent-sql.txt

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/54489

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/37155

Scores

EPSS 0.0099

EPSS Percentile 57.9%

Details

CWE

CWE-89

Status published

Products (1)

handcoders/content_module 0.5

Published Dec 20, 2009

Tracked Since Feb 18, 2026