CVE-2014-8429

xEpan CMS <= 1.0.4.1 - Cross-Site Request Forgery via Administrative Account Creation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-8429. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary This is a working CSRF exploit for CVE-2014-8429 in xEpan CMS, which allows an attacker to create an administrative account by tricking an authenticated admin into visiting a malicious page. The exploit uses a hidden form with predefined values to submit a POST request, creating a user with admin privileges.

Description

Cross-site request forgery (CSRF) vulnerability in Xavoc Technocrats xEpan CMS 1.0.4.1, 1.0.4, 1.0.1, and earlier allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts via a crafted request to the owner/users page.

Exploits (1)

exploitdb WORKING POC
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/35381

This is a working CSRF exploit for CVE-2014-8429 in xEpan CMS, which allows an attacker to create an administrative account by tricking an authenticated admin into visiting a malicious page. The exploit uses a hidden form with predefined values to submit a POST request, creating a user with admin privileges.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: xEpan CMS 1.0.1 and prior
No auth needed
Prerequisites: Victim must be logged in as an administrator · Attacker must trick the victim into visiting a malicious page
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/534096/100/0/threaded

Scores

EPSS 0.0224
EPSS Percentile 80.6%

Details

CWE
CWE-352
Status published
Products (3)
xavoc/xepan_cms 1.0.4
xavoc/xepan_cms 1.0.4.1
xavoc/xepan_cms < 1.0.1
Published Nov 28, 2014
Tracked Since Feb 18, 2026