CVE-2007-0904

LightRO CMS 1.0 - SQL Injection via ID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-0904. PoCs published by ajann.

AI-analyzed exploit summary This is a functional SQL injection exploit for LightRO CMS 1.0, targeting the 'projectid' parameter in index.php. It extracts user credentials (username, password, email) via a union-based SQL injection and displays them in a web interface.

Description

SQL injection vulnerability in projects.php in LightRO CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter to index.php.

Exploits (1)

exploitdb WORKING POC VERIFIED
by ajann · webappsphp
https://www.exploit-db.com/exploits/3286

This is a functional SQL injection exploit for LightRO CMS 1.0, targeting the 'projectid' parameter in index.php. It extracts user credentials (username, password, email) via a union-based SQL injection and displays them in a web interface.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: LightRO CMS 1.0
No auth needed
Prerequisites: Target URL with vulnerable LightRO CMS installation · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/34598
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/32347
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/3286
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/0540

Scores

EPSS 0.0103
EPSS Percentile 59.1%

Details

Status published
Products (1)
lightro/lightro_cms 1.0
Published Feb 13, 2007
Tracked Since Feb 18, 2026