CVE-2019-25703

ImpressCMS 1.3.11 SQL Injection via bid Parameter

CVSS 7.1 HIGHEPSS 0.3%CWE-89

ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

Impresscms · ImpressCMS

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/46239unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://sourceforge.net/projects/impresscms/files/v1.3.11/impresscms_1.3.11.zip https://www.exploit-db.com/exploits/46239 https://www.vulncheck.com/advisories/impresscms-sql-injection-via-bid-parameter http://www.impresscms.org/