LiveActive security incident?Get immediate response
CVE Record

CVE-2007-2898: SQL injection vulnerability in includes/rating.php in 2z Project 0.9.5 allows remote attackers to execute a...

SQL injection vulnerability in includes/rating.php in 2z Project 0.9.5 allows remote attackers to execute arbitrary SQL commands via the rating parameter to index.php.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's Takehigh

Analyst readout for executives and security teams

Plain-English summary

CVE-2007-2898 is a remote SQL injection issue in 2z Project 0.9.5. If that old application is still internet-facing, an attacker may be able to manipulate database queries through the site rating feature. Business risk depends on whether the product is deployed and what data its database contains.

Executive priority

Prioritize as high only if 2z Project 0.9.5 is present, especially on public sites. Otherwise, treat as a targeted legacy technology inventory item.

Technical view

The CVE describes unsanitized handling of the rating parameter to index.php, reaching includes/rating.php in 2z Project 0.9.5 and allowing arbitrary SQL execution. The source bundle does not provide CVSS, CWE, vendor patch details, or complete affected CPE metadata.

Likely exposure

Exposure is most likely limited to organizations still running 2z Project 0.9.5 or derived legacy code with the same rating.php logic. Confirm before prioritizing broadly.

Exploitation context

KEV is false, and the provided sources do not establish active exploitation. Public advisory references from 2007 indicate disclosure of the vulnerable parameter, so legacy exposed instances should be treated seriously.

Researcher notes

The bundle names the vulnerable file, route, and parameter but lacks scoring, CWE, patch, and exploit-observed evidence. Avoid broad product assumptions because the affected metadata is incomplete despite the CVE description identifying 2z Project 0.9.5.

Mitigation direction

  • Inventory web assets for 2z Project 0.9.5 or copied rating.php code.
  • Check vendor or archived project guidance for an official fixed release.
  • Remove, retire, or isolate obsolete exposed 2z Project installations.
  • Restrict public access to affected rating functionality until remediation is confirmed.
  • Review database privileges used by the application and reduce unnecessary access.

Validation and detection

  • Confirm whether any deployed application identifies as 2z Project 0.9.5.
  • Review index.php and includes/rating.php for unsafe rating parameter handling.
  • Check web logs for suspicious rating parameter activity and database error patterns.
  • Verify whether any compensating WAF or access control covers the affected route.
  • Document findings against the exact application version and code path.
Prepared
Confidence
medium
Sources
7

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

description · low confidence lookup

Database behavior lookup

The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2007-2898 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
8Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.