CVE-2015-2678

genixcms < 0.0.1 - Cross-Site Scripting via cat or page Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-2678. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates unauthenticated SQL injection and persistent XSS vulnerabilities in GeniXCMS v0.0.1. It includes payloads for extracting admin credentials, reading files, and executing arbitrary JavaScript via stored and reflected XSS.

Description

Multiple cross-site scripting (XSS) vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter in the categories page to gxadmin/index.php or (2) page parameter to index.php.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · textwebappsphp
https://www.exploit-db.com/exploits/36321

This exploit demonstrates unauthenticated SQL injection and persistent XSS vulnerabilities in GeniXCMS v0.0.1. It includes payloads for extracting admin credentials, reading files, and executing arbitrary JavaScript via stored and reflected XSS.

Classification
Working Poc 100%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Reliable
Target: GeniXCMS v0.0.1
No auth needed
Prerequisites: Target running GeniXCMS v0.0.1 · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/73301
Issue Tracking x_refsource_misc
https://github.com/semplon/GeniXCMS/issues/7
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/36321
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/show/osvdb/119394

Scores

EPSS 0.0540
EPSS Percentile 91.6%

Details

CWE
CWE-79
Status published
Products (1)
genixcms/genixcms < 0.0.1
Published Mar 23, 2015
Tracked Since Feb 18, 2026