Unrated severityNVD Advisory· Published Jan 13, 2015· Updated May 6, 2026

CVE-2014-10023

Description

Multiple SQL injection vulnerabilities in TopicsViewer 3.0 Beta 1 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) edit_block.php, (2) edit_cat.php, (3) edit_note.php, or (4) rmv_topic.php in admincp/.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Topicsviewer/Topicsviewer
cpe:2.3:a:topicsviewer:topicsviewer:3.0:beta1:*:*:*:*:*:*

Patches

Vulnerability mechanics

Root cause

"Direct concatenation of the unsanitized `$_GET[id]` parameter into SQL queries in four admincp scripts."

Attack vector

An unauthenticated remote attacker sends a crafted HTTP GET request to any of the four vulnerable admincp scripts, injecting SQL syntax via the `id` parameter [CWE-89]. For example, requesting `/admincp/edit_block.php?id=1+and+1=2+union+select+1,version(),3,4,5,6,7,8,9,10` causes the unsanitized input to be interpreted as part of the SQL query [ref_id=1]. The attacker can extract database contents such as the database version, enumerate tables, or potentially gain further access to the underlying system [CWE-89]. No authentication is required because the scripts do not verify the user's session before executing the query [ref_id=1].

Affected code

The vulnerability exists in four files under the admincp/ directory: edit_block.php (line 46-48), edit_cat.php (line 77-79), edit_note.php (line 77-79), and rmv_topic.php (line 46-47) [ref_id=1]. In each file, the `$_GET[id]` parameter is concatenated directly into a SQL query without any sanitization or parameterization [ref_id=1].

What the fix does

No patch is provided in the bundle. The advisory does not include a vendor fix or updated version [ref_id=1]. To remediate the vulnerability, the application must use parameterized queries (prepared statements) or properly escape the `id` input with a function such as `mysql_real_escape_string()` before including it in SQL statements [CWE-89]. The `@` error suppression operators in the existing code should also be removed so that database errors are not hidden during development [ref_id=1].

Preconditions

networkThe TopicsViewer 3.0 Beta 1 application must be installed and the admincp/ scripts must be reachable over HTTP.
networkThe attacker must be able to send HTTP GET requests to the server hosting the application.
authNo authentication or session is required; the vulnerable scripts accept unauthenticated requests.

Reproduction

1. Ensure TopicsViewer 3.0 Beta 1 is installed and the admincp/ directory is accessible. 2. Send a GET request to `/admincp/edit_block.php?id=1+and+1=2+union+select+1,version(),3,4,5,6,7,8,9,10` [ref_id=1]. 3. Observe that the database version is returned in the response, confirming SQL injection. 4. Repeat with the other scripts: `/admincp/edit_cat.php?id=1+and+1=2+union+select+1,version(),3,4,5,6,7,8`, `/admincp/edit_note.php?id=1+and+1=2+union+select+1,version(),3,4,5`, and `/admincp/rmv_topic.php?id=1+and+1=2+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14` [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

packetstormsecurity.com/files/125007nvdExploit
www.exploit-db.com/exploits/31419nvdExploit
www.securityfocus.com/bid/65283nvdExploit
osvdb.org/102834nvd
osvdb.org/102835nvd
osvdb.org/102836nvd
osvdb.org/102837nvd
exchange.xforce.ibmcloud.com/vulnerabilities/90918nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.003
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000