CVE-2009-5076

EXPLOITED IN THE WILD

Creloaded Cre Loaded < 6.2 - Authentication Bypass

Title source: rule

Description

CRE Loaded before 6.2.14, and possibly other versions before 6.3.x, allows remote attackers to bypass authentication and gain administrator privileges via a request with (1) login.php or (2) password_forgotten.php appended as the PATH_INFO, which bypasses a check that uses PHP_SELF, which is not properly handled by (a) includes/application_top.php and (b) admin/includes/application_top.php, as exploited in the wild in 2009.

References (2)

[Exploit, URL Repurposed] http://hosting-4-creloaded.com/node/116

[Patch, Vendor Advisory] https://www.creloaded.com/fdm_file_detail.php?file_id=191

Scores

EPSS 0.0023

EPSS Percentile 45.5%

Exploitation Intel

VulnCheck KEV 2011-06-08

InTheWild.io 2012-04-27

Classification

CWE

CWE-287

Status draft

Affected Products (3)

creloaded/cre_loaded < 6.2

creloaded/cre_loaded

Timeline

Published Jun 08, 2011

Tracked Since Feb 18, 2026