CVE-2013-3729

Kasseler CMS < 2 - Cross-Site Request Forgery via Admin PHP Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-3729. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The exploit demonstrates SQL injection, XSS, and CSRF vulnerabilities in Kasseler CMS. It includes PoC code for each vulnerability, with SQLi leveraging DNS exfiltration and CSRF to escalate privileges.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Kasseler CMS before 2 r1232 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) groups[] parameter in a send action in the sendmail module or (2) query parameter in a sql_query action in the database module to admin.php, related to CVE-2013-3727.

Exploits (1)

exploitdb WORKING POC
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/26623

The exploit demonstrates SQL injection, XSS, and CSRF vulnerabilities in Kasseler CMS. It includes PoC code for each vulnerability, with SQLi leveraging DNS exfiltration and CSRF to escalate privileges.

Classification
Working Poc 100%
Attack Type
Sqli | Xss | Csrf
Complexity
Moderate
Reliability
Reliable
Target: Kasseler CMS 2 r1223 and prior
Auth required
Prerequisites: Authenticated admin session for SQLi/CSRF · Ability to trick admin into visiting malicious page
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/94781
Exploit mailing-list x_refsource_bugtraq
http://seclists.org/bugtraq/2013/Jul/26
Various Sources x_refsource_confirm
http://diff.kasseler-cms.net/svn.html
Patch, Vendor Advisory x_refsource_confirm
http://diff.kasseler-cms.net/svn/patches/1232.html

Scores

EPSS 0.0125
EPSS Percentile 65.4%

Details

CWE
CWE-352
Status published
Products (1)
kasseler-cms/kasseler-cms < 2
Published Mar 13, 2014
Tracked Since Feb 18, 2026