CVE-2013-7194

eFront 3.6.14 - Authenticated Stored Cross-Site Scripting via Administrator Fields

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-7194. PoCs published by sajith.

AI-analyzed exploit summary This exploit demonstrates stored XSS vulnerabilities in eFront v3.6.14 (build 18012) by injecting malicious payloads into user profile fields, lesson names, and course names. The payloads execute arbitrary JavaScript when rendered in the application.

Description

Multiple cross-site scripting (XSS) vulnerabilities in www/administrator.php in eFront 3.6.14 (build 18012) allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) Last name, (2) Lesson name, or (3) Course name field.

Exploits (1)

exploitdb WORKING POC VERIFIED
by sajith · textwebappsphp
https://www.exploit-db.com/exploits/30213

This exploit demonstrates stored XSS vulnerabilities in eFront v3.6.14 (build 18012) by injecting malicious payloads into user profile fields, lesson names, and course names. The payloads execute arbitrary JavaScript when rendered in the application.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: eFront v3.6.14 (build 18012)
Auth required
Prerequisites: Admin access to the eFront application
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/30213
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/89660

Scores

EPSS 0.0264
EPSS Percentile 83.7%

Details

CWE
CWE-79
Status published
Products (1)
efrontlearning/efront 3.6.14
Published Dec 21, 2013
Tracked Since Feb 18, 2026