CVE-2014-5521

xrms_crm - Authenticated Remote Code Execution via Username Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-5521. PoCs published by Benjamin Harris.

AI-analyzed exploit summary This exploit demonstrates a blind SQL injection via $_SESSION poisoning in XRMS, followed by command execution. It extracts admin credentials through time-based SQLi and then leverages session manipulation to achieve RCE.

Description

plugins/useradmin/fingeruser.php in XRMS CRM, possibly 1.99.2, allows remote authenticated users to execute arbitrary code via shell metacharacters in the username parameter.

Exploits (1)

exploitdb WORKING POC
by Benjamin Harris · pythonwebappsphp
https://www.exploit-db.com/exploits/34452

This exploit demonstrates a blind SQL injection via $_SESSION poisoning in XRMS, followed by command execution. It extracts admin credentials through time-based SQLi and then leverages session manipulation to achieve RCE.

Classification
Working Poc 95%
Attack Type
Sqli | Rce
Complexity
Moderate
Reliability
Reliable
Target: XRMS (version not specified)
No auth needed
Prerequisites: Target must be running vulnerable XRMS instance · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Aug/78
Exploit mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/08/27/4
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/08/29/1
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/34452

Scores

EPSS 0.0707
EPSS Percentile 93.4%

Details

CWE
CWE-89
Status published
Products (1)
xrms_crm_project/xrms_crm 1.99.2
Published Sep 02, 2014
Tracked Since Feb 18, 2026