CVE-2015-2680

GeniXCMS < 0.0.2 - Cross-Site Request Forgery via Administrator Account Addition

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-2680. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates unauthenticated SQL injection and persistent XSS vulnerabilities in GeniXCMS v0.0.1. It includes payloads for extracting admin credentials, reading files, and executing arbitrary JavaScript via stored and reflected XSS.

Description

Cross-site request forgery (CSRF) vulnerability in MetalGenix GeniXCMS before 0.0.2 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request in the users page to gxadmin/index.php.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · textwebappsphp
https://www.exploit-db.com/exploits/36321

This exploit demonstrates unauthenticated SQL injection and persistent XSS vulnerabilities in GeniXCMS v0.0.1. It includes payloads for extracting admin credentials, reading files, and executing arbitrary JavaScript via stored and reflected XSS.

Classification
Working Poc 100%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Reliable
Target: GeniXCMS v0.0.1
No auth needed
Prerequisites: Target running GeniXCMS v0.0.1 · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Issue Tracking x_refsource_confirm
https://github.com/semplon/GeniXCMS/issues/7
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/show/osvdb/119391
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/73299
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/36321

Scores

EPSS 0.0394
EPSS Percentile 89.0%

Details

CWE
CWE-352
Status published
Products (1)
metalgenix/genixcms < 0.0.1
Published Mar 23, 2015
Tracked Since Feb 18, 2026