CVE-2013-2754

umi.cms < 2.9 - Cross-Site Request Forgery via Admin User Addition

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-2754. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in UMI.CMS 2.9, allowing an attacker to create a new administrator account by tricking an authenticated admin into submitting a malicious form. The PoC includes a crafted HTML form with JavaScript to auto-submit the request.

Description

Cross-site request forgery (CSRF) vulnerability in Umisoft UMI.CMS before 2.9 build 21905 allows remote attackers to hijack the authentication of administrators for requests that add administrator accounts via a request to admin/users/add/user/do/.

Exploits (1)

exploitdb WORKING POC

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/25449

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability in UMI.CMS 2.9, allowing an attacker to create a new administrator account by tricking an authenticated admin into submitting a malicious form. The PoC includes a crafted HTML form with JavaScript to auto-submit the request.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: UMI.CMS 2.9 and prior

Auth required

Prerequisites: Victim must be authenticated as an administrator · Victim must visit a malicious webpage

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2013-05/0029.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/93104

Exploit x_refsource_misc

http://packetstormsecurity.com/files/121564/UMI.CMS-2.9-Cross-Site-Request-Forgery.html

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/25449

Exploit x_refsource_misc

https://www.htbridge.com/advisory/HTB23151

Scores

EPSS 0.0227

EPSS Percentile 80.7%

Details

CWE

CWE-352

Status published

Products (35)

umi-cms/umi.cms 2.3.3.9

umi-cms/umi.cms 2.5.0

umi-cms/umi.cms 2.5.2

umi-cms/umi.cms 2.5.3

umi-cms/umi.cms 2.6

umi-cms/umi.cms 2.6.1

umi-cms/umi.cms 2.6.2

umi-cms/umi.cms 2.6.3

umi-cms/umi.cms 2.6.4

umi-cms/umi.cms 2.6.5

... and 25 more

Published Mar 11, 2014

Tracked Since Feb 18, 2026