CVE-2013-6043

Softaculous Webuzo < 2.1.4 - Username Enumeration via Login Error Messages

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-6043. PoCs published by Mahendra.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in Webuzo 2.1.3, including remote OS command injection via cookie manipulation, reflected XSS in the File Manager module, and username enumeration through differential error messages. No authentication is required for exploitation.

Description

The login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentication attempts depending on whether the user account exists, which allows remote attackers to enumerate usernames via a series of requests.

Exploits (1)

exploitdb WORKING POC
by Mahendra · textwebappsphp
https://www.exploit-db.com/exploits/31982

The exploit demonstrates multiple vulnerabilities in Webuzo 2.1.3, including remote OS command injection via cookie manipulation, reflected XSS in the File Manager module, and username enumeration through differential error messages. No authentication is required for exploitation.

Classification
Working Poc 90%
Attack Type
Rce | Xss | Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Webuzo 2.1.3
No auth needed
Prerequisites: Network access to the target Webuzo instance · Valid session cookie for command injection
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

EPSS 0.0289
EPSS Percentile 85.1%

Details

CWE
CWE-200
Status published
Products (4)
softaculous/webuzo 2.1.0
softaculous/webuzo 2.1.1
softaculous/webuzo 2.1.2
softaculous/webuzo < 2.1.3
Published Dec 27, 2014
Tracked Since Feb 18, 2026