CVE-2011-5039

Infoproject Biznis Heroj - SQL Injection via login.php or widget.dokumenti_lista.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-5039. PoCs published by LiquidWorm.

AI-analyzed exploit summary The exploit demonstrates an authentication bypass vulnerability in Infoproject Biznis Heroj via SQL injection in the login.php script. It also includes XSS and SQLi vulnerabilities in other scripts, with clear PoC examples for each.

Description

Multiple SQL injection vulnerabilities in Infoproject Biznis Heroj allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters to login.php, (3) the filter parameter to widget.dokumenti_lista.php, and (4) the fin_nalog_id parameter to nalozi_naslov.php.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · textwebappsphp
https://www.exploit-db.com/exploits/18259

The exploit demonstrates an authentication bypass vulnerability in Infoproject Biznis Heroj via SQL injection in the login.php script. It also includes XSS and SQLi vulnerabilities in other scripts, with clear PoC examples for each.

Classification
Working Poc 90%
Attack Type
Sqli | Auth Bypass | Xss
Complexity
Trivial
Reliability
Reliable
Target: Infoproject Biznis Heroj (Plus, Pro, and Extra versions)
No auth needed
Prerequisites: Access to the login.php endpoint · Basic knowledge of SQL injection techniques
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18259
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/71927

Scores

EPSS 0.0110
EPSS Percentile 61.3%

Details

CWE
CWE-89
Status published
Products (1)
infoproject/biznis_heroj
Published Dec 30, 2011
Tracked Since Feb 18, 2026