CVE-2011-4275

EXPLOITED

iTop 1.1.181 and 1.2.0-RC-282 - Cross-Site Scripting via Multiple Input Vectors

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2011-4275 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including Metasploit, Halim Cruzito, iskorpitx.

AI-analyzed exploit summary This Metasploit module exploits an arbitrary file upload vulnerability in Open Flash Chart v2 via the 'ofc_upload_image.php' script, allowing attackers to upload and execute malicious PHP files. The exploit leverages a lack of file extension validation and directory traversal to achieve remote code execution.

Description

Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the category parameter in an errors action to audit.php, or (9) the suggest_pwd parameter to UI.php.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/29210

This Metasploit module exploits an arbitrary file upload vulnerability in Open Flash Chart v2 via the 'ofc_upload_image.php' script, allowing attackers to upload and execute malicious PHP files. The exploit leverages a lack of file extension validation and directory traversal to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Open Flash Chart v2 (and integrated applications like Piwik, OpenEMR, zonPHP)
No auth needed
Prerequisites: Network access to the target web server · The 'ofc_upload_image.php' script must be accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Halim Cruzito · textwebappsphp
https://www.exploit-db.com/exploits/29091

This exploit demonstrates a remote code execution (RCE) vulnerability in ZonPHP v2.25 by uploading a malicious PHP file via the `ofc_upload_image.php` endpoint. The script uses cURL to send a POST request with a PHP payload, which is then accessible on the target server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ZonPHP v2.25
No auth needed
Prerequisites: Target server running ZonPHP v2.25 · Access to the `ofc_upload_image.php` endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by iskorpitx · textwebappsphp
https://www.exploit-db.com/exploits/24969

This exploit targets a remote code injection vulnerability in Joomla's com_civicrm component (CVE-2011-4275). It uploads a malicious PHP file via the ofc_upload_image.php script, which then executes arbitrary commands to fetch and deploy a shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Joomla with CiviCRM component 4.2.2
No auth needed
Prerequisites: Target must have the vulnerable CiviCRM component installed · The tmp-upload-images directory must be writable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/24529

This Metasploit module exploits an unauthenticated file upload vulnerability in OpenEMR 4.1.1 via the `ofc_upload_image.php` script, allowing arbitrary PHP code execution. It uploads a malicious PHP payload to the `tmp-upload-images` directory and triggers it via HTTP request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: OpenEMR 4.1.1
No auth needed
Prerequisites: Network access to the target OpenEMR instance · OpenEMR 4.1.1 with vulnerable `openflashchart` library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by LiquidWorm · phpwebappsphp
https://www.exploit-db.com/exploits/24492

This exploit demonstrates an arbitrary file upload vulnerability in OpenEMR 4.1.1 via the 'ofc_upload_image.php' script, allowing remote code execution by uploading a malicious PHP script with multiple extensions. The PoC includes a reverse shell payload for Linux targets.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: OpenEMR 4.1.1
No auth needed
Prerequisites: Network access to the target · PHP and Apache running on the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
by Braeden Thomas · textwebappsphp
https://www.exploit-db.com/exploits/10532

This exploit demonstrates a remote code execution vulnerability in Open Flash Chart due to improper input sanitization. The PoC shows how an attacker can execute arbitrary PHP code by sending a crafted HTTP request with malicious data in the 'name' and 'HTTP_RAW_POST_DATA' parameters.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Open Flash Chart 2 Beta 1, Open Flash Chart 2, and possibly other versions
No auth needed
Prerequisites: Network access to the target server · Open Flash Chart installed and accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/520632
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/520632/100/0/threaded

Scores

EPSS 0.0162
EPSS Percentile 73.0%

Details

VulnCheck KEV 2020-07-08
CWE
CWE-79
Status published
Products (2)
combodo/itop 1.1.181
combodo/itop 1.2.0 rc282
Published Nov 26, 2011
Tracked Since Feb 18, 2026