CVE-2015-1428

Sefrengo < 1.6.1 - SQL Injection via sefrengo Cookie or value_id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-1428. PoCs published by ITAS Team.

AI-analyzed exploit summary This exploit demonstrates SQL injection vulnerabilities in Sefrengo CMS v1.6.1, specifically targeting the `id` parameter in the `ac_get_value` function and the `value_id` parameter in the `set_value` function. The PoC includes HTTP requests with injection points marked.

Description

Multiple SQL injection vulnerabilities in Sefrengo before 1.6.2 allow (1) remote attackers to execute arbitrary SQL commands via the sefrengo cookie in a login to backend/main.php or (2) remote authenticated users to execute arbitrary SQL commands via the value_id parameter in a save_value action to backend/main.php.

Exploits (1)

exploitdb WORKING POC
by ITAS Team · textwebappsphp
https://www.exploit-db.com/exploits/35972

This exploit demonstrates SQL injection vulnerabilities in Sefrengo CMS v1.6.1, specifically targeting the `id` parameter in the `ac_get_value` function and the `value_id` parameter in the `set_value` function. The PoC includes HTTP requests with injection points marked.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Sefrengo CMS v1.6.1
Auth required
Prerequisites: Access to the target application · Valid session cookies for authenticated endpoints
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

EPSS 0.0279
EPSS Percentile 84.5%

Details

CWE
CWE-89
Status published
Products (1)
sefrengo/sefrengo < 1.6.1
Published Feb 03, 2015
Tracked Since Feb 18, 2026