CVE-2013-6839

InstantCMS < 1.10.3 - SQL Injection via OrderBy Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-6839. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary This exploit demonstrates a blind SQL injection vulnerability in InstantCMS 1.10.3 via the 'orderby' POST parameter. The provided HTML form manipulates the SQL query to check the MySQL version, confirming the vulnerability.

Description

SQL injection vulnerability in InstantSoft InstantCMS 1.10.3 and earlier allows remote attackers to execute arbitrary SQL commands via the orderby parameter to catalog/[id].

Exploits (1)

exploitdb WORKING POC

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/30398

View Code ZIP pw:eip

This exploit demonstrates a blind SQL injection vulnerability in InstantCMS 1.10.3 via the 'orderby' POST parameter. The provided HTML form manipulates the SQL query to check the MySQL version, confirming the vulnerability.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: InstantCMS 1.10.3 and prior

No auth needed

Prerequisites: Access to the target application's catalog page

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/56041

Patch, Vendor Advisory x_refsource_confirm

http://www.instantcms.ru/novosti/security-update-1-10-3.html

Exploit x_refsource_misc

https://www.htbridge.com/advisory/HTB23185

Exploit mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2013-12/0049.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/63842

Scores

EPSS 0.0130

EPSS Percentile 66.7%

Details

CWE

CWE-89

Status published

Products (1)

instantsoft/instantcms < 1.10.3

Published Dec 13, 2013

Tracked Since Feb 18, 2026