CVE-2012-3873

Openconstructor - SQL Injection

Title source: rule

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-3873. PoCs published by Lorenzo Cantoni.

AI-analyzed exploit summary The exploit details SQL injection vulnerabilities in Openconstructor CMS 3.12.0 via the 'id' parameter in multiple pages. It provides proof-of-concept URLs demonstrating blind SQL injection techniques.

Description

Multiple SQL injection vulnerabilities in Open Constructor 3.12.0 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) data/gallery/edit.php, (2) data/guestbook/edit.php, (3) data/file/edit.php, (4) data/htmltext/edit.php, (5) data/publication/edit.php, or (6) data/event/edit.php.

Exploits (1)

exploitdb WRITEUP

by Lorenzo Cantoni · textwebappsphp

https://www.exploit-db.com/exploits/20347

View Code ZIP pw:eip

The exploit details SQL injection vulnerabilities in Openconstructor CMS 3.12.0 via the 'id' parameter in multiple pages. It provides proof-of-concept URLs demonstrating blind SQL injection techniques.

Classification

Writeup 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Openconstructor CMS 3.12.0

Auth required

Prerequisites: Authenticated access to the application · Existence of an object (e.g., gallery, guestbook) to exploit the vulnerability

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit x_refsource_misc

http://packetstormsecurity.org/files/115286/Openconstructor-CMS-3.12.0-SQL-Injection.html

Scores

EPSS 0.0092

EPSS Percentile 55.6%

Details

CWE

CWE-89

Status published

Products (1)

openconstructor_project/openconstructor 3.12.0

Published Dec 28, 2012

Tracked Since Feb 18, 2026