CVE-2014-5100

Omeka < 2.2.1 - Cross-Site Request Forgery

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-5100. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates a CSRF and stored XSS vulnerability in Omeka 2.2. It includes forms to add a super user, inject a persistent XSS payload, and disable file validation via CSRF attacks.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_label parameter to admin/users/api-keys/1, or (3) disable file validation via a request to admin/settings/edit-security.

Exploits (1)

exploitdb WORKING POC VERIFIED

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/34100

View Code ZIP pw:eip

This exploit demonstrates a CSRF and stored XSS vulnerability in Omeka 2.2. It includes forms to add a super user, inject a persistent XSS payload, and disable file validation via CSRF attacks.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Omeka 2.2

Auth required

Prerequisites: Victim must be authenticated as an admin · Victim must visit a malicious page

MITRE ATT&CK