CVE-2014-3119

HIGH

web2project < 3.1 - Authenticated SQL Injection via Search String or Update Key Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-3119. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The document describes SQL injection vulnerabilities in web2Project versions 3.1 and prior, specifically in the 'search_string' and 'updatekey' parameters. It includes exploitation examples for extracting MySQL version and writing arbitrary files, but does not contain executable exploit code.

Description

Multiple SQL injection vulnerabilities in web2Project 3.1 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) search_string parameter in the contacts module to index.php or allow remote attackers to execute arbitrary SQL commands via the updatekey parameter to (2) do_updatecontact.php or (3) updatecontact.php.

Exploits (1)

exploitdb WRITEUP
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/33818

The document describes SQL injection vulnerabilities in web2Project versions 3.1 and prior, specifically in the 'search_string' and 'updatekey' parameters. It includes exploitation examples for extracting MySQL version and writing arbitrary files, but does not contain executable exploit code.

Classification
Writeup 100%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: web2Project 3.1 and prior
Auth required
Prerequisites: Access to vulnerable web2Project instance · Authentication for some vectors
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.0173
EPSS Percentile 74.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
web2project/web2project < 3.1
Published Jan 31, 2020
Tracked Since Feb 18, 2026