CVE-2014-4718

Lunar CMS < 3.3 - Cross-Site Request Forgery

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-4718. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates CSRF and stored XSS vulnerabilities in Lunar CMS 3.3. It includes PoC HTML forms to add an admin user and inject malicious scripts via the Contact Form module.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Lunar CMS before 3.3-3 allow remote attackers to hijack the authentication of administrators for requests that (1) add Super users via a request to admin/user_create.php or conduct cross-site scripting (XSS) attacks via the (2) email or (3) subject parameter in contact_form.ext.php to admin/extensions.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/33830

View Code ZIP pw:eip

This exploit demonstrates CSRF and stored XSS vulnerabilities in Lunar CMS 3.3. It includes PoC HTML forms to add an admin user and inject malicious scripts via the Contact Form module.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Lunar CMS 3.3

Auth required

Prerequisites: Victim must be authenticated as an admin · Victim must visit a malicious page

MITRE ATT&CK