CVE-2014-2989

TAO 2.5.6 - Cross-Site Request Forgery via Users/add Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2989. PoCs published by High-Tech Bridge.

AI-analyzed exploit summary This is a CSRF exploit for TOA 2.5.6, allowing an attacker to create a new user with administrative privileges via a crafted HTML form. The exploit leverages missing CSRF token validation in the user addition endpoint.

Description

Cross-site request forgery (CSRF) vulnerability in Open Assessment Technologies TAO 2.5.6 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts via a request to Users/add.

Exploits (1)

exploitdb WORKING POC VERIFIED
by High-Tech Bridge · htmlwebappsphp
https://www.exploit-db.com/exploits/39176

This is a CSRF exploit for TOA 2.5.6, allowing an attacker to create a new user with administrative privileges via a crafted HTML form. The exploit leverages missing CSRF token validation in the user addition endpoint.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: TOA 2.5.6
No auth needed
Prerequisites: Victim must be authenticated and tricked into submitting the form
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/67291
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/58539

Scores

EPSS 0.0120
EPSS Percentile 64.1%

Details

CWE
CWE-352
Status published
Products (1)
open_assessment_technologies_/tao 2.5.6
Published May 13, 2014
Tracked Since Feb 18, 2026