CVE-2014-9147

HIGH

Fiyo CMS < 2.0.1.8 - Exposure of Sensitive Information via Database Backup File

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9147. PoCs published by Mahendra.

AI-analyzed exploit summary This exploit demonstrates multiple SQL injection vulnerabilities in FiyoCMS 2.0.1.8, including UNION-based and time-based blind SQLi. It provides detailed payloads for exploiting vulnerable parameters like 'id', 'cat', 'user', and 'level'.

Description

Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.

Exploits (1)

exploitdb WORKING POC
by Mahendra · textwebappsphp
https://www.exploit-db.com/exploits/36581

This exploit demonstrates multiple SQL injection vulnerabilities in FiyoCMS 2.0.1.8, including UNION-based and time-based blind SQLi. It provides detailed payloads for exploiting vulnerable parameters like 'id', 'cat', 'user', and 'level'.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: FiyoCMS 2.0.1.8
No auth needed
Prerequisites: Access to the vulnerable FiyoCMS instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/73437
Exploit, Issue Tracking, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/131165/FiyoCMS-2.0.1.8-XSS-SQL-Injection-URL-Bypass.html
Exploit, Issue Tracking, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/36581/

Scores

CVSS v3 7.5
EPSS 0.1143
EPSS Percentile 95.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
fiyo/fiyo_cms < 2.0.1.8
Published Oct 16, 2017
Tracked Since Feb 18, 2026