CVE-2017-15970 in PHP CityPortal
Summary
by MITRE
PHP CityPortal 2.0 allows SQL Injection via the nid parameter to index.php in a page=news action, or the cat parameter.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/10/2025
CVE-2017-15970 represents a critical SQL injection vulnerability affecting PHP CityPortal 2.0 web application. This vulnerability exists in the application's handling of user-supplied input parameters within the index.php script when processing news-related actions. The flaw manifests when the application fails to properly sanitize or validate input passed through the nid parameter in the page=news action or the cat parameter, creating an opportunity for malicious actors to execute arbitrary SQL commands against the underlying database. The vulnerability is classified as a CWE-89 SQL Injection weakness, which is one of the most prevalent and dangerous web application security flaws according to the CWE database. This issue falls under the ATT&CK technique T1190 Exploit Public-Facing Application, as it targets a publicly accessible web interface that can be exploited by remote attackers without requiring privileged access. The attack vector is particularly concerning because it allows an unauthenticated attacker to manipulate database queries directly through the web application's user interface, potentially enabling complete database compromise including data exfiltration, modification, or deletion. The vulnerability affects the application's core functionality where news items are displayed and categorized, making it a high-value target for attackers seeking to gain unauthorized access to sensitive information. When exploited, this vulnerability can lead to unauthorized data access, data manipulation, and potentially full system compromise if the database user has elevated privileges. The impact extends beyond simple data theft as attackers can use this vulnerability to establish persistent access points within the application environment. The vulnerability's exploitation requires minimal technical expertise, making it particularly dangerous as it can be leveraged by attackers with varying skill levels. Organizations using PHP CityPortal 2.0 should immediately implement input validation and parameterized queries to prevent this vulnerability from being exploited. Additionally, regular security assessments and web application firewalls should be deployed to monitor and block malicious SQL injection attempts. The remediation approach should focus on implementing proper input sanitization, output encoding, and least privilege database access controls to minimize the potential impact of such vulnerabilities. Security teams should also consider implementing automated vulnerability scanning tools that can detect similar injection flaws across their entire web application portfolio to prevent similar incidents from occurring in other systems.