CVE-2013-7346

Symphony CMS < 2.3.2 - Cross-Site Request Forgery via SQL Injection in Authors Sort Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-7346. PoCs published by High-Tech Bridge.

AI-analyzed exploit summary This exploit demonstrates a cross-site request forgery (CSRF) vulnerability in Symphony CMS, allowing an attacker to perform unauthorized actions via a crafted image tag. The example includes a SQL injection payload to write a file, indicating potential for further exploitation.

Description

Cross-site request forgery (CSRF) vulnerability in Symphony CMS before 2.3.2 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the sort parameter to system/authors/, related to CVE-2013-2559.

Exploits (1)

exploitdb WORKING POC VERIFIED
by High-Tech Bridge · textwebappsphp
https://www.exploit-db.com/exploits/39136

This exploit demonstrates a cross-site request forgery (CSRF) vulnerability in Symphony CMS, allowing an attacker to perform unauthorized actions via a crafted image tag. The example includes a SQL injection payload to write a file, indicating potential for further exploitation.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Symphony CMS version 2.3.1 and prior
Auth required
Prerequisites: Victim must be logged into Symphony CMS · Attacker must craft a malicious URL or image tag
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html

Scores

EPSS 0.0055
EPSS Percentile 41.8%

Details

CWE
CWE-352
Status published
Products (10)
getsymphony/symphony 2.0
getsymphony/symphony 2.0.3
getsymphony/symphony 2.0.4
getsymphony/symphony 2.0.5
getsymphony/symphony 2.0.6
getsymphony/symphony 2.0.7
getsymphony/symphony 2.1.0
getsymphony/symphony 2.1.1
getsymphony/symphony 2.3
getsymphony/symphony < 2.3.1
Published Mar 27, 2014
Tracked Since Feb 18, 2026