Description
Multiple cross-site request forgery (CSRF) vulnerabilities in Scriptsez.net Ez Poll Hoster (EPH) allow remote attackers to (1) hijack the authentication of arbitrary users for requests that delete polls via the delete_poll action to index.php; and hijack the authentication of administrators for requests that (2) delete users via the manage action to admin.php, or (3) send arbitrary email to arbitrary users in the email action to admin.php.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Milos Zivanovic · textwebappsphp
https://www.exploit-db.com/exploits/10439
References (4)
Core 4
Core References
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3529
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/37716
Exploit exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/10439
Exploit x_refsource_misc
http://packetstormsecurity.org/0912-exploits/ezpollhoster-xssxsrf.txt
Scores
EPSS
0.0011
EPSS Percentile
29.6%
Details
CWE
CWE-352
Status
published
Products (1)
scriptsez/ez_poll_hoster
Published
Dec 22, 2009
Tracked Since
Feb 18, 2026