CVE-2014-4034
Description
An unauthenticated SQL injection in ZeroCMS 1.0's article_id parameter allows remote attackers to execute arbitrary SQL commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated SQL injection in ZeroCMS 1.0's `article_id` parameter allows remote attackers to execute arbitrary SQL commands.
Vulnerability
CVE-2014-4034 is a SQL injection vulnerability in the article_id parameter of zero_view_article.php in ZeroCMS 1.0 [1][2]. The application fails to sanitize user-supplied input before incorporating it into a SQL query, enabling an attacker to inject arbitrary SQL commands. The vulnerable code path is reachable via a standard HTTP GET request without requiring any authentication or special privileges [2][3]. The advisory published by Steffen Rösemann later confirmed that the same vulnerability exists in versions up to and including 1.3.3 [2][3].
Exploitation
An unauthenticated remote attacker can exploit the vulnerability by sending a crafted HTTP GET request to the /views/zero_view_article.php script with a malicious article_id parameter [2][3]. For example, visiting http://{TARGET}/views/zero_view_article.php?article_id=-1+union+select+database() ,2,version(),user(),5,6--+ directly extracts database metadata [2][3]. No prior authentication, session cookie, or user interaction is required; the only precondition is that the target runs a vulnerable version of ZeroCMS [2][3].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying database [1][2]. This can lead to unauthorized retrieval of sensitive information (e.g., user credentials, application data), potential modification or deletion of database content, and, in some configurations, escalation to operating system command execution [2][3]. The attacker gains the full privileges of the database user under which the web application operates [2][3].
Mitigation
As of the available references, no official patch has been released for ZeroCMS to address CVE-2014-4034 [2][3]. The vendor indicated that the platform would be moving to Rails 4 but did not provide a specific fix for the vulnerable PHP code [2]. Administrators are advised to isolate the application from untrusted networks, apply input sanitization manually, or consider migrating to an alternative CMS that is actively maintained [2][3]. There is no indication that this vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of the article_id GET parameter in zero_view_article.php allows SQL injection."
Attack vector
An unauthenticated remote attacker sends a crafted HTTP GET request to `/views/zero_view_article.php` with a malicious `article_id` parameter [ref_id=1][ref_id=2]. Because the input is not sanitized [CWE-89], the attacker can inject arbitrary SQL commands, such as a UNION SELECT payload to extract database contents [ref_id=1][ref_id=3]. No authentication or special privileges are required [ref_id=1][ref_id=2].
Affected code
The vulnerability is in `zero_view_article.php`, specifically the `article_id` GET parameter is not sanitized before being used in SQL queries [ref_id=1][ref_id=3]. The file is located under the `views/` directory in a standard ZeroCMS installation [ref_id=1].
What the fix does
No official patch was released for this vulnerability; the vendor stated the PHP-based ZeroCMS platform would be moving to Rails4 and version 1.3.3 was the last PHP release [ref_id=1]. The advisory recommends that users migrate to the Rails4 version or apply input sanitization to the `article_id` parameter themselves [ref_id=1].
Preconditions
- configThe target must be running ZeroCMS version 1.0 through 1.3.3
- authNo authentication required; the attacker can be unauthenticated
- networkAttacker must be able to send HTTP GET requests to the vulnerable endpoint
- inputAttacker supplies a malicious article_id GET parameter containing SQL injection payload
Reproduction
Visit `http://{TARGET}/views/zero_view_article.php?article_id=-1+union+select+database%28%29,2,version%28%29,user%28%29,5,6+--+` [ref_id=1][ref_id=2]. Alternatively, use the PoC from Exploit-DB: `http://localhost/zerocms/zero_view_article.php?article_id=1337+union+all+select+concat(unhex(hex(cast(database()+as+char)))),2,3,4,5,6--` [ref_id=3].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- packetstormsecurity.com/files/127005/ZeroCMS-1.0-SQL-Injection.htmlnvdExploitThird Party AdvisoryVDB Entry
- packetstormsecurity.com/files/130192/ZeroCMS-1.3.3-SQL-Injection.htmlnvdExploitThird Party AdvisoryVDB Entry
- www.exploit-db.com/exploits/33702nvdExploitThird Party AdvisoryVDB Entry
- www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5186.phpnvdExploitThird Party Advisory
- seclists.org/fulldisclosure/2015/Feb/4nvdMailing ListThird Party Advisory
- seclists.org/oss-sec/2015/q1/379nvdMailing ListThird Party Advisory
- seclists.org/oss-sec/2015/q1/380nvdMailing ListThird Party Advisory
- sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-14.htmlnvdNot Applicable
- sroesemann.blogspot.de/2015/01/sroeadv-2015-13.htmlnvdNot Applicable
- sroesemann.blogspot.de/2015/02/addition-for-advisory-sroeadv-2015-14.htmlnvdNot Applicable
- www.securityfocus.com/bid/67953nvdNot ApplicableVDB Entry
- secunia.com/advisories/59182nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/100588nvd
News mentions
0No linked articles in our index yet.