CVE-2011-5318

diafan.cms < 5.0 - Cross-Site Request Forgery via Admin Actions

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-5318. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The exploit demonstrates CSRF and XSS vulnerabilities in diafan.CMS 4.3. It includes PoC forms that submit malicious requests to modify user data and execute arbitrary JavaScript code.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in diafan.CMS before 5.1 allow remote attackers to hijack the authentication of administrators for requests that (1) modify articles via a save_post action to admin/news/saveNEWS_ID/, (2) modify settings via a save_post action to admin/site/save2/, or (3) modify credentials via a save_post action to admin/usersite/save2/.

Exploits (1)

exploitdb WORKING POC

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/15969

View Code ZIP pw:eip

The exploit demonstrates CSRF and XSS vulnerabilities in diafan.CMS 4.3. It includes PoC forms that submit malicious requests to modify user data and execute arbitrary JavaScript code.

Classification

Working Poc 100%

Attack Type

Xss | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: diafan.CMS 4.3 and prior versions

No auth needed

Prerequisites: Victim must visit a malicious webpage or be tricked into submitting a crafted form

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit x_refsource_misc

https://www.htbridge.com/advisory/HTB22775

Scores

EPSS 0.0106

EPSS Percentile 60.1%

Details

CWE

CWE-352

Status published

Products (1)

diafan/diafan.cms < 5.0

Published Jan 01, 2015

Tracked Since Feb 18, 2026