CVE-2014-5088

status2k - Cross-Site Scripting via Username Parameter in login.php

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-5088.

AI-analyzed exploit summary This is a detailed technical writeup describing multiple vulnerabilities in Status2k software, including XSS, SQLi, command injection, RCE via eval() backdoor, template manipulation, design flaws, and information leaks. It provides specific code snippets, attack vectors, and proof-of-concept examples for each CVE.

Description

Cross-site scripting (XSS) vulnerability in Status2k allows remote attackers to inject arbitrary web script or HTML via the username to login.php.

Exploits (1)

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/34239

View Code ZIP pw:eip

This is a detailed technical writeup describing multiple vulnerabilities in Status2k software, including XSS, SQLi, command injection, RCE via eval() backdoor, template manipulation, design flaws, and information leaks. It provides specific code snippets, attack vectors, and proof-of-concept examples for each CVE.

Classification

Writeup 95%

Attack Type

Rce | Sqli | Xss | Info Leak | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Status2k (all versions)

No auth needed

Prerequisites: Access to vulnerable Status2k installation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1055 - Process Injection T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/69012

Exploit x_refsource_misc

http://packetstormsecurity.com/files/127719/Status2k-XSS-SQL-Injection-Command-Execution.html

Scores

EPSS 0.0150

EPSS Percentile 71.0%

Details

CWE

CWE-79

Status published

Products (1)

status2k/status2k

Published Aug 06, 2014

Tracked Since Feb 18, 2026