CVE-2011-5040

Infoproject Biznis Heroj - Stored Cross-Site Scripting via config Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-5040. PoCs published by LiquidWorm.

AI-analyzed exploit summary The exploit demonstrates an authentication bypass vulnerability in Infoproject Biznis Heroj via SQL injection in the login.php script. It also includes XSS and SQLi vulnerabilities in other scripts, with clear PoC examples for each.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Infoproject Biznis Heroj allow remote attackers to inject arbitrary web script or HTML via the config parameter to (1) nalozi_naslov.php and (2) widget.dokumenti_lista.php.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · textwebappsphp
https://www.exploit-db.com/exploits/18259

The exploit demonstrates an authentication bypass vulnerability in Infoproject Biznis Heroj via SQL injection in the login.php script. It also includes XSS and SQLi vulnerabilities in other scripts, with clear PoC examples for each.

Classification
Working Poc 90%
Attack Type
Sqli | Auth Bypass | Xss
Complexity
Trivial
Reliability
Reliable
Target: Infoproject Biznis Heroj (Plus, Pro, and Extra versions)
No auth needed
Prerequisites: Access to the login.php endpoint · Basic knowledge of SQL injection techniques
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/71928
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18259

Scores

EPSS 0.0318
EPSS Percentile 86.5%

Details

CWE
CWE-79
Status published
Products (1)
infoproject/biznis_heroj
Published Dec 30, 2011
Tracked Since Feb 18, 2026