CVE-2013-2498

SimpleHRM <= 2.3 - SQL Injection via Username Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-2498. PoCs published by Doraemon.

AI-analyzed exploit summary The document describes SQL injection (CVE-2013-2498) and cookie spoofing (CVE-2013-2499) vulnerabilities in Simple HRM system v2.3 and below. It details the vulnerable parameters, files, and attack vectors but does not include executable exploit code.

Description

SQL injection vulnerability in the login page in flexycms/modules/user/user_manager.php in SimpleHRM 2.3, 2.2, and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter to index.php/user/setLogin.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Doraemon · textwebappsphp
https://www.exploit-db.com/exploits/24954

The document describes SQL injection (CVE-2013-2498) and cookie spoofing (CVE-2013-2499) vulnerabilities in Simple HRM system v2.3 and below. It details the vulnerable parameters, files, and attack vectors but does not include executable exploit code.

Classification
Writeup 90%
Attack Type
Sqli | Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: Simple HRM system v2.2/2.3
No auth needed
Prerequisites: access to the login page · knowledge of SQL injection techniques
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/04/17/1
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/92538
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/83628

Scores

EPSS 0.0132
EPSS Percentile 67.3%

Details

CWE
CWE-89
Status published
Products (2)
simplehrm/simplehrm 2.3
simplehrm/simplehrm < 2.2
Published Mar 01, 2014
Tracked Since Feb 18, 2026