CVE-2009-5076
EXPLOITED IN THE WILDCRE Loaded < 6.2.14 - Unauthenticated Authentication Bypass via PATH_INFO Manipulation
Title source: llmExploitation Summary
CVE-2009-5076 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).
Description
CRE Loaded before 6.2.14, and possibly other versions before 6.3.x, allows remote attackers to bypass authentication and gain administrator privileges via a request with (1) login.php or (2) password_forgotten.php appended as the PATH_INFO, which bypasses a check that uses PHP_SELF, which is not properly handled by (a) includes/application_top.php and (b) admin/includes/application_top.php, as exploited in the wild in 2009.
References (2)
Core 2
Core References
Exploit, URL Repurposed x_refsource_misc
http://hosting-4-creloaded.com/node/116
Patch, Vendor Advisory x_refsource_confirm
https://www.creloaded.com/fdm_file_detail.php?file_id=191
Scores
EPSS
0.0141
EPSS Percentile
69.3%
Details
VulnCheck KEV
2011-06-08
InTheWild.io
2012-04-27
CWE
CWE-287
Status
published
Products (3)
creloaded/cre_loaded
6.3
creloaded/cre_loaded
6.15
creloaded/cre_loaded
< 6.2
Published
Jun 08, 2011
Tracked Since
Feb 18, 2026