VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 6, 2015· Updated May 6, 2026

CVE-2015-1442

CVE-2015-1442

Description

SQL injection in ZeroCMS 1.3.3 and earlier allows authenticated users to execute arbitrary SQL commands via the user_id parameter in zero_transact_user.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in ZeroCMS 1.3.3 and earlier allows authenticated users to execute arbitrary SQL commands via the user_id parameter in zero_transact_user.php.

Vulnerability

An SQL injection vulnerability exists in the zero_transact_user.php file of ZeroCMS versions 1.3.3, 1.3.2, and earlier [1]. The user_id parameter is not properly sanitized before being used in SQL queries within the administrative backend. This allows remote authenticated users to inject arbitrary SQL commands [2].

Exploitation

An attacker must have valid credentials and access to the administrative backend. The attack is performed via a POST request to /views/zero_transact_user.php with a crafted user_id parameter in the Modify Account action [1]. For example, appending AND SLEEP(30) to the user_id value enables blind SQL injection via time delays [2].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands on the database [1]. This can lead to unauthorized disclosure, modification, or deletion of data, including user credentials. The attacker can potentially escalate privileges within the application [2].

Mitigation

No official patch has been released by the vendor, who has indicated the platform will be moved to Rails4 [1]. Users are advised to restrict access to the administrative backend and monitor for suspicious activity. If possible, apply input validation or upgrade to a non-vulnerable version [3].

References
  1. SQL injection vulnerabilities in zerocms <= v.1.3.3
  2. CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities
  3. CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Zero CMS/Zerocmsinferred2 versions
    <=1.3.3+ 1 more
    • (no CPE)range: <=1.3.3
    • (no CPE)range: <=1.3.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization of the user_id parameter in views/zero_transact_user.php allows SQL injection."

Attack vector

An attacker must be an authenticated user with access to the administrative backend of ZeroCMS [ref_id=1]. The attacker sends a POST request to `/views/zero_transact_user.php` with a crafted `user_id` parameter containing SQL injection payloads, such as `user_id=2 AND SLEEP(30)`, while performing a "Modify Account" action [ref_id=1][ref_id=2]. The unsanitized `user_id` input is directly incorporated into a SQL query, enabling the attacker to execute arbitrary SQL commands [CWE-89].

Affected code

The vulnerability is in the file `views/zero_transact_user.php` within the administrative backend of ZeroCMS. The `user_id` parameter, passed via POST request, is not sanitized before being used in a SQL query, allowing an attacker to inject arbitrary SQL commands [ref_id=1][ref_id=2].

What the fix does

No patch is provided by the vendor. The advisory states that version 1.3.3 is the last PHP-based release and the platform will be moved to Rails4, so no fix is expected for the PHP codebase [ref_id=1]. The recommended remediation would be to properly sanitize or parameterize the `user_id` input in `views/zero_transact_user.php` before using it in SQL queries [CWE-89].

Preconditions

  • authAttacker must be an authenticated user with access to the administrative backend of ZeroCMS.
  • networkAttacker must be able to send POST requests to /views/zero_transact_user.php.
  • inputThe user_id parameter must be accepted without sanitization.

Reproduction

1. Log in to the ZeroCMS administrative backend. 2. Send a POST request to `/views/zero_transact_user.php` with the following parameters (example from [ref_id=1]): `name=user&email=user%40user.de&access_level=1&user_id=2 AND SLEEP(30)&action=Modify+Account` 3. Observe a delay in the response, confirming blind SQL injection via the `user_id` parameter.

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.