CVE-2014-2009

mpay24 < 1.5.1 - Unauthenticated Sensitive Information Exposure via Direct Request to API Log

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2009. PoCs published by Wireghoul.

AI-analyzed exploit summary The document describes two vulnerabilities in the Mpay24 PrestaShop Payment Module: a blind SQL injection (CVE-2014-2008) and an information disclosure issue (CVE-2014-2009). The SQL injection allows database extraction via crafted requests, while the information disclosure exposes API credentials and local paths through an accessible log file.

Description

The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.

Exploits (1)

exploitdb WRITEUP

by Wireghoul · textwebappsphp

https://www.exploit-db.com/exploits/34586

View Code ZIP pw:eip

The document describes two vulnerabilities in the Mpay24 PrestaShop Payment Module: a blind SQL injection (CVE-2014-2008) and an information disclosure issue (CVE-2014-2009). The SQL injection allows database extraction via crafted requests, while the information disclosure exposes API credentials and local paths through an accessible log file.

Classification

Writeup 100%

Attack Type

Sqli | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Mpay24 Payment Module for PrestaShop 1.5 and earlier

No auth needed

Prerequisites: Mpay24 module installed on PrestaShop · For info_leak: debug mode enabled (default until version 1.6)

MITRE ATT&CK

T1189 - Drive-by Compromise T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/95721

Exploit x_refsource_misc

http://packetstormsecurity.com/files/128136/Mpay24-Payment-Module-1.5-Information-Disclosure-SQL-Injection.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/show/osvdb/110738

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/34586

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Sep/23

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/69560

Scores

EPSS 0.0741

EPSS Percentile 93.6%

Details

CWE

CWE-200

Status published

Products (12)

mpay24_project/mpay24 1.4.0

mpay24_project/mpay24 1.4.1

mpay24_project/mpay24 1.4.2

mpay24_project/mpay24 1.4.3

mpay24_project/mpay24 1.4.4

mpay24_project/mpay24 1.4.5

mpay24_project/mpay24 1.4.6

mpay24_project/mpay24 1.4.7

mpay24_project/mpay24 1.4.8

mpay24_project/mpay24 1.4.9

... and 2 more

Published Sep 12, 2014

Tracked Since Feb 18, 2026