CVE-2014-9236

Zoph < 0.9.1 - Cross-Site Scripting via photographer_id or _crumb Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9236. PoCs published by Manuel García Cárdenas.

AI-analyzed exploit summary The document details SQL injection and XSS vulnerabilities in Zoph <= 0.9.1, providing specific attack vectors and proof-of-concept URLs. It includes technical descriptions of the vulnerabilities but does not contain functional exploit code.

Description

Cross-site scripting (XSS) vulnerability in php/edit_photos.php in Zoph (aka Zoph Organizes Photos) 0.9.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) photographer_id or (2) _crumb parameter.

Exploits (1)

exploitdb WRITEUP

by Manuel García Cárdenas · textwebappsphp

https://www.exploit-db.com/exploits/35278

View Code ZIP pw:eip

The document details SQL injection and XSS vulnerabilities in Zoph <= 0.9.1, providing specific attack vectors and proof-of-concept URLs. It includes technical descriptions of the vulnerabilities but does not contain functional exploit code.

Classification

Writeup 90%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: Zoph <= 0.9.1

Auth required

Prerequisites: Access to the vulnerable Zoph application · Authentication credentials

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit x_refsource_misc

http://packetstormsecurity.com/files/129141/Zoph-0.9.1-Cross-Site-Scripting-SQL-Injection.html

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Nov/45

Scores

EPSS 0.0265

EPSS Percentile 83.6%

Details

CWE

CWE-79

Status published

Products (1)

zoph/zoph < 0.9.1

Published Dec 03, 2014

Tracked Since Feb 18, 2026