CVE-2010-0709

Limny 2.0 - Cross-Site Request Forgery in User and Admin Actions

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2010-0709. PoCs published by Luis Santana.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in Limny CMS 2.0, allowing an attacker to create an administrator account via a crafted HTML form. The PoC generates a file 'pwn.html' that, when hosted and accessed by an authenticated admin, submits a form to add a new admin user.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Limny 2.0 allow remote attackers to (1) hijack the authentication of users or administrators for requests that change the email address or password via the user action to index.php, and (2) hijack the authentication of the administrator for requests that create a new user via the admin/modules/user/new action to limny/index.php.

Exploits (2)

exploitdb WORKING POC
by Luis Santana · textwebappsphp
https://www.exploit-db.com/exploits/11478

This exploit demonstrates a CSRF vulnerability in Limny CMS 2.0, allowing an attacker to create an administrator account via a crafted HTML form. The PoC generates a file 'pwn.html' that, when hosted and accessed by an authenticated admin, submits a form to add a new admin user.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Limny CMS 2.0
Auth required
Prerequisites: Victim must be authenticated as an admin · Victim must visit the malicious HTML page
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Luis Santana · textwebappsphp
https://www.exploit-db.com/exploits/11477

This exploit demonstrates a CSRF vulnerability in Limny CMS 2.0, allowing an attacker to change the password and email of any user, including the administrator, via a crafted HTML form. The PoC generates a file named 'pwn.html' that automates the attack when the victim clicks the 'Save' button.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Limny CMS 2.0
No auth needed
Prerequisites: Victim must be authenticated and tricked into clicking the 'Save' button on the malicious page
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/11478
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/56318
Patch, Vendor Advisory x_refsource_confirm
http://www.limny.org/
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38616
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/11477
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/62389

Scores

EPSS 0.0123
EPSS Percentile 65.0%

Details

CWE
CWE-352
Status published
Products (1)
limny/limny 2.0
Published Feb 25, 2010
Tracked Since Feb 18, 2026