CVE-2014-5112

Fonality trixbox - Remote Code Execution via lang Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-5112. PoCs published by AtT4CKxT3rR0r1ST.

AI-analyzed exploit summary This exploit demonstrates a file write vulnerability in ol-commerce 2.1.1, allowing an attacker to write a PHP shell to the server via unsanitized input in the 'lang' parameter. The shell can then be accessed to execute arbitrary commands.

Description

maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by AtT4CKxT3rR0r1ST · textwebappsphp

https://www.exploit-db.com/exploits/39352

View Code ZIP pw:eip

This exploit demonstrates a file write vulnerability in ol-commerce 2.1.1, allowing an attacker to write a PHP shell to the server via unsanitized input in the 'lang' parameter. The shell can then be accessed to execute arbitrary commands.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: ol-commerce 2.1.1

No auth needed

Prerequisites: Network access to the target application · The target application must be running ol-commerce 2.1.1 or a vulnerable version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit x_refsource_misc

http://packetstormsecurity.com/files/127522/Trixbox-XSS-LFI-SQL-Injection-Code-Execution.html

Scores

EPSS 0.0916

EPSS Percentile 94.7%

Details

CWE

CWE-94

Status published

Products (1)

netfortris/trixbox

Published Jul 28, 2014

Tracked Since Feb 18, 2026