CVE-2018-18794

HIGH

School Event Management System 1.0 - Cross-Site Request Forgery via User Edit Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-18794. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site Request Forgery (CSRF) vulnerability in School Event Management System 1.0, allowing an attacker to update admin credentials without user interaction. The PoC includes an HTML form and HTTP request to modify the admin account.

Description

School Event Management System 1.0 allows CSRF via user/controller.php?action=edit.

Exploits (1)

exploitdb WORKING POC
by Ihsan Sencan · textwebappsphp
https://www.exploit-db.com/exploits/45724

This exploit demonstrates a Cross-Site Request Forgery (CSRF) vulnerability in School Event Management System 1.0, allowing an attacker to update admin credentials without user interaction. The PoC includes an HTML form and HTTP request to modify the admin account.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: School Event Management System 1.0
No auth needed
Prerequisites: Victim must be authenticated and visit a malicious page
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45724/

Scores

CVSS v3 8.8
EPSS 0.0238
EPSS Percentile 81.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
school_event_management_system_project/school_event_management_system 1.0
Published Nov 16, 2018
Tracked Since Feb 18, 2026