CVE-2014-5090

status2k - Authenticated Command Injection via Admin Panel Log Location Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-5090.

AI-analyzed exploit summary This is a detailed technical writeup describing multiple vulnerabilities in Status2k software, including XSS, SQLi, command injection, RCE via eval() backdoor, template manipulation, design flaws, and information leaks. It provides specific code snippets, affected files, and exploitation steps for each CVE.

Description

admin/options/logs.php in Status2k allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the Location field in Add Logs in the Admin Panel.

Exploits (1)

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/34239

View Code ZIP pw:eip

This is a detailed technical writeup describing multiple vulnerabilities in Status2k software, including XSS, SQLi, command injection, RCE via eval() backdoor, template manipulation, design flaws, and information leaks. It provides specific code snippets, affected files, and exploitation steps for each CVE.

Classification

Writeup 95%

Attack Type

Rce | Sqli | Xss | Info Leak | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Status2k (all versions)

Auth required

Prerequisites: Access to admin panel for some exploits · Network access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1055 - Process Injection T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit x_refsource_misc

http://packetstormsecurity.com/files/127719/Status2k-XSS-SQL-Injection-Command-Execution.html

Scores

EPSS 0.0280

EPSS Percentile 84.6%

Details

CWE

CWE-94

Status published

Products (1)

status2k/status2k

Published Aug 06, 2014

Tracked Since Feb 18, 2026