CVE-2014-9235

Zoph < 0.9.1 - Authenticated SQL Injection via _action or location_id Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9235.

AI-analyzed exploit summary The exploit demonstrates SQL injection and XSS vulnerabilities in Zoph <= 0.9.1 via crafted HTTP GET requests targeting specific parameters in group.php, photos.php, user.php, and edit_photos.php. The PoC includes clear examples of malicious input for both attack types.

Description

Multiple SQL injection vulnerabilities in Zoph (aka Zoph Organizes Photos) 0.9.1 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) _action parameter to group.php or (2) user.php or the (3) location_id parameter to photos.php in php/.

Exploits (1)

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/35278

View Code ZIP pw:eip

The exploit demonstrates SQL injection and XSS vulnerabilities in Zoph <= 0.9.1 via crafted HTTP GET requests targeting specific parameters in group.php, photos.php, user.php, and edit_photos.php. The PoC includes clear examples of malicious input for both attack types.

Classification

Working Poc 90%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: Zoph <= 0.9.1

Auth required

Prerequisites: Access to the Zoph web application · Valid authentication credentials

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.007 - JavaScript

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit x_refsource_misc

http://packetstormsecurity.com/files/129141/Zoph-0.9.1-Cross-Site-Scripting-SQL-Injection.html

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Nov/45

Scores

EPSS 0.0207

EPSS Percentile 78.9%

Details

CWE

CWE-89

Status published

Products (1)

zoph/zoph < 0.9.1

Published Dec 03, 2014

Tracked Since Feb 18, 2026