VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 9, 2014· Updated May 6, 2026

CVE-2014-4194

CVE-2014-4194

Description

SQL injection vulnerability in ZeroCMS 1.0 via article_id parameter in zero_transact_article.php allows remote unauthenticated attackers to execute arbitrary SQL commands.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection vulnerability in ZeroCMS 1.0 via article_id parameter in zero_transact_article.php allows remote unauthenticated attackers to execute arbitrary SQL commands.

Vulnerability

The SQL injection flaw lives in zero_transact_article.php of ZeroCMS version 1.0. When a Submit Comment action is processed, the article_id GET parameter is directly concatenated into SQL queries without proper sanitization or parameterization. No authentication or special privileges are required to reach this code path.

Exploitation

An attacker can craft a malicious HTTP request to the vulnerable endpoint, providing a specially crafted article_id value containing SQL syntax. No user interaction is needed beyond the server processing the request. The attack is straightforward: simply append SQL payloads to the article_id parameter in the request URL.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL statements against the underlying database. This can lead to unauthorized reading, modification, or deletion of data (including user credentials and site content), and in some configurations may enable further server compromise.

Mitigation

As of the available reference [1], no official patch has been released. The vendor (ZeroCMS) status is unknown. The recommended mitigation is to immediately apply input validation and use parameterized queries for the article_id parameter. Operators should upgrade if a fixed version becomes available or consider replacing the CMS.

References
  1. Packet Storm

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Zero CMS/Zerocmsinferred2 versions
    = 1.0+ 1 more
    • (no CPE)range: = 1.0
    • (no CPE)range: =1.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application does not properly sanitize the 'article_id' POST parameter in zero_transact_article.php, allowing SQL injection."

Attack vector

An attacker can exploit this vulnerability by sending a crafted POST request to the `zero_transact_article.php` script. The `article_id` parameter is vulnerable to SQL injection because it is not properly sanitized before being used in a database query. This allows an attacker to inject arbitrary SQL commands, potentially leading to sensitive information disclosure or system compromise [ref_id=1]. The vulnerability is present in ZeroCMS version 1.0 [ref_id=1].

Affected code

The vulnerability lies within the `zero_transact_article.php` file in ZeroCMS version 1.0. Specifically, the `article_id` POST parameter is processed without adequate sanitization, allowing for SQL injection attacks [ref_id=1].

What the fix does

The advisory does not provide details on a specific patch or fix. However, it indicates that the `article_id` POST parameter in `zero_transact_article.php` is not properly sanitized, which is the root cause of the SQL injection vulnerability [ref_id=1]. Remediation would involve implementing proper input validation and sanitization for this parameter to neutralize special SQL characters.

Preconditions

  • inputThe 'article_id' POST parameter must be provided.
  • configThe application must be running ZeroCMS version 1.0.

Reproduction

POST /zerocms/zero_transact_article.php HTTP/1.1 Cache-Control: no-cache Referer: http://[Removed]/zerocms/zero_comment.php?article_id=9 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) Accept-Language: en-us,en;q=0.5 Host: [Removed] Cookie: PHPSESSID=[Removed] Accept-Encoding: gzip, deflate Content-Length: 53 Content-Type: application/x-www-form-urlencoded

action=Submit+Comment&article_id='&comment_text=3 [ref_id=1]

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.