CVE-2014-9005
Description
Multiple SQL injection vulnerabilities in vldPersonals before 2.7.1 allow remote attackers to execute arbitrary SQL commands via the (1) country, (2) gender1, or ((3) gender2 parameter in a search action to index.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple SQL injection vulnerabilities in vldPersonals before 2.7.1 allow remote attackers to execute arbitrary SQL commands via search parameters.
Vulnerability
The application vldPersonals versions before 2.7.1 contain multiple SQL injection vulnerabilities in the search functionality. The country, gender1, and gender2 parameters passed via POST to index.php?m=search are not properly sanitized, allowing an attacker to inject arbitrary SQL commands. [1]
Exploitation
An attacker can exploit this vulnerability by sending a crafted POST request to the search action. The attack requires no authentication and can be performed remotely. The proof-of-concept uses a benchmark payload in the country parameter to demonstrate time-based SQL injection. [1]
Impact
Successful exploitation allows remote attackers to execute arbitrary SQL commands, potentially leading to data extraction, modification, or deletion. The attacker gains the ability to compromise the database backend, affecting confidentiality, integrity, and availability of the application data.
Mitigation
The vulnerability is fixed in version 2.7.1, which was released on an unknown date. Users should upgrade to vldPersonals 2.7.1 or later. No workarounds are mentioned in the available reference. [1]
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.