CVE-2014-9435

Absolut Engine 1.73 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9435. PoCs published by Steffen Rösemann.

AI-analyzed exploit summary This advisory details multiple SQL injection and reflected XSS vulnerabilities in Absolut Engine v1.73 CMS, including specific exploit examples for parameters like sectionID, userID, and title. The vulnerabilities allow unauthorized database access and client-side script execution.

Description

Multiple SQL injection vulnerabilities in Absolut Engine 1.73 allow remote authenticated users to execute arbitrary SQL commands via the (1) sectionID parameter to admin/managersection.php, (2) userID parameter to admin/edituser.php, (3) username parameter to admin/admin.php, or (4) title parameter to admin/managerrelated.php.

Exploits (1)

exploitdb WRITEUP
by Steffen Rösemann · textwebappsphp
https://www.exploit-db.com/exploits/35670

This advisory details multiple SQL injection and reflected XSS vulnerabilities in Absolut Engine v1.73 CMS, including specific exploit examples for parameters like sectionID, userID, and title. The vulnerabilities allow unauthorized database access and client-side script execution.

Classification
Writeup 100%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Reliable
Target: Absolut Engine v1.73 CMS
Auth required
Prerequisites: Valid admin session · Access to administrative backend
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Dec/131
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/71822

Scores

EPSS 0.0112
EPSS Percentile 62.0%

Details

CWE
CWE-89
Status published
Products (1)
absolutengine/absolut_engine 1.73
Published Jan 02, 2015
Tracked Since Feb 18, 2026