CVE-2010-4613

Hycus CMS 1.0.3 - Path Traversal via Site Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-4613. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in Hycus CMS 1.0.3, including Local File Inclusion (LFI) via the 'site' parameter and SQL Injection (SQLi) via multiple input fields such as 'useremail', 'q', 'user_name', and 'usr_email'. The PoC provides clear examples of how to exploit these vulnerabilities.

Description

Multiple directory traversal vulnerabilities in Hycus CMS 1.0.3 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the site parameter to (1) index.php and (2) admin.php.

Exploits (1)

exploitdb WORKING POC

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/15797

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in Hycus CMS 1.0.3, including Local File Inclusion (LFI) via the 'site' parameter and SQL Injection (SQLi) via multiple input fields such as 'useremail', 'q', 'user_name', and 'usr_email'. The PoC provides clear examples of how to exploit these vulnerabilities.

Classification

Working Poc 100%

Attack Type

Sqli | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Hycus CMS 1.0.3

No auth needed

Prerequisites: Access to the target web application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/45527

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/15797

Exploit x_refsource_misc

http://www.htbridge.ch/advisory/lfi_in_hycus_cms.html

Scores

EPSS 0.0605

EPSS Percentile 92.4%

Details

CWE

CWE-22

Status published

Products (1)

hycus/hycus_cms 1.0.3

Published Dec 29, 2010

Tracked Since Feb 18, 2026