cbcvebase.
CVE-2014-9148
published 2017-10-16

CVE-2014-9148: Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator…

PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.45%
95.5th percentile
Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.

Affected

1 ranges
VendorProductVersion rangeFixed in
fiyofiyo_cms<= 2.0.1.8

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://192.168.248.132/fiyo/dapur/index.php?app=user&act=edit&id=1[sqli]
path/fiyo/dapur/apps/app_article/controller/article_list.php
path/fiyo/dapur/apps/app_user/controller/check_user.php
path/fiyo/dapur
path/fiyo//plugins/plg_kcfinder/browse.php
commanddir=files&file=../../../../../../../etc/passwd
commandact=user&username=test' AND SLEEP(5) AND 'UjqT'='UjqT
  • Detect direct unauthenticated GET requests to /fiyo/dapur with a 'view' parameter attempting to access Install/Update or Backup functions, which should require super administrator privileges.
  • Monitor POST requests to /fiyo/dapur/apps/app_user/controller/check_user.php for SQL injection patterns in the 'username' parameter (e.g., SLEEP, UNION, boolean-based payloads).
  • Detect directory traversal attempts via POST to /fiyo//plugins/plg_kcfinder/browse.php with 'file' parameter containing '../' sequences targeting /etc/passwd.
  • Monitor GET requests to /fiyo/dapur/index.php with 'id' parameter containing SQL injection payloads such as UNION SELECT or SLEEP().
  • Monitor GET requests to /fiyo/dapur/apps/app_article/controller/article_list.php with SQL injection in 'cat', 'user', or 'level' parameters.
  • ·The IP address 192.168.248.132 used in all PoC URLs is a private lab/test IP from the researcher's environment and is not an operational attacker infrastructure indicator.
  • ·CVE-2014-9148 specifically covers the access control bypass via the 'view' parameter in direct requests to fiyo/dapur; the SQL injection and directory traversal PoCs in the same advisory correspond to CVE-2014-9145 and CVE-2014-1222 respectively.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.