CVE-2014-2211

POSH < 3.2.1 - SQL Injection via RSS URL Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2211. PoCs published by Anthony BAUBE.

AI-analyzed exploit summary This exploit demonstrates an SQL injection vulnerability in POSH versions prior to 3.3.0. The PoC crafts a malicious URL that extracts user credentials (username, email, and MD5-hashed passwords) from the database via a UNION-based SQL injection.

Description

SQL injection vulnerability in portal/addtoapplication.php in POSH (aka Posh portal or Portaneo) 3.0 before 3.3.0 allows remote attackers to execute arbitrary SQL commands via the rssurl parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Anthony BAUBE · textwebappsphp
https://www.exploit-db.com/exploits/39108

This exploit demonstrates an SQL injection vulnerability in POSH versions prior to 3.3.0. The PoC crafts a malicious URL that extracts user credentials (username, email, and MD5-hashed passwords) from the database via a UNION-based SQL injection.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: POSH < 3.3.0
No auth needed
Prerequisites: Access to the target URL · Vulnerable version of POSH
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Patch x_refsource_misc
http://www.sysdream.com/CVE-2014-2211_2214
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/65817
Product x_refsource_confirm
http://sourceforge.net/p/posh/svn/3540/
Mailing List mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2014/q1/444

Scores

EPSS 0.0240
EPSS Percentile 82.0%

Details

CWE
CWE-89
Status published
Products (9)
posh_project/posh 3.0
posh_project/posh 3.0.1
posh_project/posh 3.0.2
posh_project/posh 3.0.3
posh_project/posh 3.0.4
posh_project/posh 3.1.0
posh_project/posh 3.1.1
posh_project/posh 3.1.2
posh_project/posh < 3.2.1
Published Mar 03, 2014
Tracked Since Feb 18, 2026