CVE-2009-4906

Acc PHP eMail 1.1 - Cross-Site Request Forgery in Password Change

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4906. PoCs published by bi0.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in Acc PHP eMail v1.1, allowing an attacker to change the admin password by tricking a victim into submitting a malicious form. The PoC includes a crafted HTML form that submits a password change request without the victim's knowledge.

Description

Cross-site request forgery (CSRF) vulnerability in index.php in Acc PHP eMail 1.1 allows remote attackers to hijack the authentication of administrators for requests that change passwords.

Exploits (1)

exploitdb WORKING POC

by bi0 · textwebappsphp

https://www.exploit-db.com/exploits/10412

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability in Acc PHP eMail v1.1, allowing an attacker to change the admin password by tricking a victim into submitting a malicious form. The PoC includes a crafted HTML form that submits a password change request without the victim's knowledge.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Acc PHP eMail v1.1

No auth needed

Prerequisites: Victim must be authenticated as admin and visit the malicious page

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/3508

Exploit x_refsource_misc

http://packetstormsecurity.org/0912-exploits/ape-xsrf.txt

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/10412

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/37666

Scores

EPSS 0.0107

EPSS Percentile 60.4%

Details

CWE

CWE-352

Status published

Products (1)

accscripts/acc_php_email 1.1

Published Jun 25, 2010

Tracked Since Feb 18, 2026