CVE-2014-9148

CRITICAL

fiyo_cms < 2.0.1.8 - Improper Access Control via Direct Request to fiyo/dapur

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9148. PoCs published by Mahendra.

AI-analyzed exploit summary This exploit demonstrates multiple SQL injection vulnerabilities in FiyoCMS 2.0.1.8, including UNION-based and time-based blind SQLi. It provides detailed payloads for exploiting vulnerable parameters like 'id', 'cat', 'user', and 'level'.

Description

Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.

Exploits (1)

exploitdb WORKING POC
by Mahendra · textwebappsphp
https://www.exploit-db.com/exploits/36581

This exploit demonstrates multiple SQL injection vulnerabilities in FiyoCMS 2.0.1.8, including UNION-based and time-based blind SQLi. It provides detailed payloads for exploiting vulnerable parameters like 'id', 'cat', 'user', and 'level'.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: FiyoCMS 2.0.1.8
No auth needed
Prerequisites: Access to the vulnerable FiyoCMS instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/73437
Exploit, Issue Tracking, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/131165/FiyoCMS-2.0.1.8-XSS-SQL-Injection-URL-Bypass.html
Exploit, Issue Tracking, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/36581/

Scores

CVSS v3 9.8
EPSS 0.2423
EPSS Percentile 96.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-284
Status published
Products (1)
fiyo/fiyo_cms < 2.0.1.8
Published Oct 16, 2017
Tracked Since Feb 18, 2026