CVE-2017-15578

HIGH

PHP Melody < 2.7.3 - SQL Injection via Image Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-15578.

AI-analyzed exploit summary The document details three vulnerabilities in PHP Melody 2.7.3: a stored XSS leading to admin account takeover, and two SQL injection flaws (one requiring admin interaction, another via cookie manipulation). It includes technical details like vulnerable parameters and payload examples.

Description

In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via the image parameter to admin/edit_category.php.

Exploits (1)

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/44056

View Code ZIP pw:eip

The document details three vulnerabilities in PHP Melody 2.7.3: a stored XSS leading to admin account takeover, and two SQL injection flaws (one requiring admin interaction, another via cookie manipulation). It includes technical details like vulnerable parameters and payload examples.

Classification

Writeup 95%

Attack Type

Xss | Sqli

Complexity

Moderate

Reliability

Reliable

Target: PHP Melody 2.7.3

No auth needed

Prerequisites: Access to the target application · Admin interaction for one SQLi vector

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes, Vendor Advisory x_refsource_misc

http://www.phpsugar.com/blog/2017/10/php-melody-v2-7-3-maintenance-release/

Exploit, Third Party Advisory x_refsource_misc

https://blogs.securiteam.com/index.php/archives/3464

Scores

CVSS v3 8.8

EPSS 0.0134

EPSS Percentile 67.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

phpsugar/php_melody < 2.7.2

Published Oct 18, 2017

Tracked Since Feb 18, 2026