CVE-2014-3854

Pyplate 0.08 - Cross-Site Request Forgery via Title Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-3854. PoCs published by Henri Salo.

AI-analyzed exploit summary This HTML form demonstrates a CSRF vulnerability in Pyplate 0.08 Beta, allowing an attacker to trick an authenticated admin into submitting a malicious request that injects a script to exfiltrate cookies.

Description

Cross-site request forgery (CSRF) vulnerability in admin/addScript.py in Pyplate 0.08 allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the title parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Henri Salo · htmlwebappspython

https://www.exploit-db.com/exploits/39199

View Code ZIP pw:eip

This HTML form demonstrates a CSRF vulnerability in Pyplate 0.08 Beta, allowing an attacker to trick an authenticated admin into submitting a malicious request that injects a script to exfiltrate cookies.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Pyplate 0.08 Beta

Auth required

Prerequisites: Victim must be authenticated as an admin · Victim must visit the malicious HTML page

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2014/05/23/1

Exploit mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2014/05/14/3

Scores

EPSS 0.0094

EPSS Percentile 56.1%

Details

CWE

CWE-352

Status published

Products (1)

pyplate/pyplate 0.08

Published Aug 07, 2014

Tracked Since Feb 18, 2026