CVE-2010-4924

clearBudget 0.9.8 - Remote Code Execution via actionPath Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-4924. PoCs published by Offensive.

AI-analyzed exploit summary This exploit demonstrates a Remote File Include (RFI) vulnerability in clearBudget v0.9.8 by manipulating the 'actionPath' parameter in the 'controller.class.php' file. The vulnerability allows an attacker to include and execute arbitrary remote files on the target server.

Description

PHP remote file inclusion vulnerability in logic/controller.class.php in clearBudget 0.9.8 allows remote attackers to execute arbitrary PHP code via a URL in the actionPath parameter. NOTE: this issue has been disputed by a reliable third party

Exploits (1)

exploitdb WORKING POC

by Offensive · textwebappsphp

https://www.exploit-db.com/exploits/14614

View Code ZIP pw:eip

This exploit demonstrates a Remote File Include (RFI) vulnerability in clearBudget v0.9.8 by manipulating the 'actionPath' parameter in the 'controller.class.php' file. The vulnerability allows an attacker to include and execute arbitrary remote files on the target server.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: clearBudget v0.9.8

No auth needed

Prerequisites: PHP version > 4.x.x · Remote file inclusion enabled on the target server

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/14614

Various Sources mailing-list x_refsource_mlist

http://attrition.org/pipermail/vim/2010-August/002388.html

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/42351

Scores

EPSS 0.0239

EPSS Percentile 81.8%

Details

CWE

CWE-94

Status published

Products (1)

clearbudget/clearbudget 0.9.8

Published Oct 09, 2011

Tracked Since Feb 18, 2026