CVE-2014-1915

Command School Student Management System 1.06.01 - CSRF

Title source: llm

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Command School Student Management System 1.06.01 allow remote attackers to hijack the authentication of (1) administrators for requests that change the administrator password via an update action to sw/admin_change_password.php or (2) unspecified victims for requests that add a topic or blog entry to sw/add_topic.php. NOTE: vector 2 can be leveraged to bypass the authentication requirements for exploiting vector 1 in CVE-2014-1914.

Exploits (2)

exploitdb WORKING POC VERIFIED

by AtT4CKxT3rR0r1ST · htmlwebappsphp

https://www.exploit-db.com/exploits/38957

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by AtT4CKxT3rR0r1ST · htmlwebappsphp

https://www.exploit-db.com/exploits/38958

View Code ZIP pw:eip

References (4)

[Exploit] http://packetstormsecurity.com/files/124708/Command-School-Student-Management-System-1.06.01-SQL-Injection-CSRF-XSS.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/64707

[Third Party Advisory, VDB Entry] http://osvdb.org/101889

[Third Party Advisory, VDB Entry] http://osvdb.org/101890

Scores

EPSS 0.0040

EPSS Percentile 60.8%

Details

CWE

CWE-352

Status published

Products (1)

doug_poulin/command_school_student_management_system 1.06.01

Published Feb 07, 2014

Tracked Since Feb 18, 2026