CVE-2009-4874

TalkBack 2.3.14 - Unauthenticated Comment Modification via comments.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4874. PoCs published by JIKO.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in TalkBack 2.3.14, including command injection via the 'result' parameter in 'import.php' and local file inclusion via the 'language' parameter in 'help.php'. The PoC provides clear instructions and code snippets for exploitation.

Description

TalkBack 2.3.14 does not properly restrict access to the edit comment feature (comments.php), which allows remote attackers to modify comments.

Exploits (1)

exploitdb WORKING POC VERIFIED
by JIKO · textwebappsphp
https://www.exploit-db.com/exploits/9095

This exploit demonstrates multiple vulnerabilities in TalkBack 2.3.14, including command injection via the 'result' parameter in 'import.php' and local file inclusion via the 'language' parameter in 'help.php'. The PoC provides clear instructions and code snippets for exploitation.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: TalkBack 2.3.14
No auth needed
Prerequisites: Access to the vulnerable 'comments.php', 'import.php', or 'help.php' endpoints
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35619
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35735
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/55745
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/9095

Scores

EPSS 0.0261
EPSS Percentile 83.4%

Details

CWE
CWE-264
Status published
Products (1)
scripts.oldguy/talkback 2.3.14
Published May 26, 2010
Tracked Since Feb 18, 2026