CVE-2009-4385

Scriptsez.net Ez Poll Hoster - CSRF

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4385. PoCs published by Milos Zivanovic.

AI-analyzed exploit summary This exploit demonstrates multiple XSS and XSRF vulnerabilities in Ez Poll Hoster, including proof-of-concept URLs and a form-based exploit for sending arbitrary emails to all users. The vulnerabilities allow for cross-site scripting and cross-site request forgery attacks.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Scriptsez.net Ez Poll Hoster (EPH) allow remote attackers to (1) hijack the authentication of arbitrary users for requests that delete polls via the delete_poll action to index.php; and hijack the authentication of administrators for requests that (2) delete users via the manage action to admin.php, or (3) send arbitrary email to arbitrary users in the email action to admin.php.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Milos Zivanovic · textwebappsphp
https://www.exploit-db.com/exploits/10439

This exploit demonstrates multiple XSS and XSRF vulnerabilities in Ez Poll Hoster, including proof-of-concept URLs and a form-based exploit for sending arbitrary emails to all users. The vulnerabilities allow for cross-site scripting and cross-site request forgery attacks.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Ez Poll Hoster (version not specified)
No auth needed
Prerequisites: Access to the target application · User interaction for XSS
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3529
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37716
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/10439

Scores

EPSS 0.0097
EPSS Percentile 57.1%

Details

CWE
CWE-352
Status published
Products (1)
scriptsez/ez_poll_hoster
Published Dec 22, 2009
Tracked Since Feb 18, 2026