CVE-2019-25366
Received Received - Intake
SQL Injection in microASP Portal+ CMS Exposes Database Data

Publication date: 2026-02-22

Last updated on: 2026-02-22

Assigner: VulnCheck

Description
microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. Attackers can send crafted requests to pagina.phtml with SQL injection payloads using extractvalue and concat functions to extract sensitive database information like the current database name.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-22
Last Modified
2026-02-22
Generated
2026-05-06
AI Q&A
2026-02-22
EPSS Evaluated
2026-05-05
NVD
CVE-2019-25366
EUVD
EUVD-2019-19595
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
microasp portal+ *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "The microASP Portal+ CMS contains an SQL injection vulnerability in the 'explode_tree' parameter of the 'pagina.phtml' script. This flaw allows unauthenticated attackers to inject malicious SQL code because the input is not properly sanitized."}, {'type': 'paragraph', 'content': 'Attackers can send specially crafted requests that use SQL functions like extractvalue and concat to execute arbitrary SQL queries. This can be exploited to extract sensitive information from the database, such as the current database name.'}] [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by sending crafted HTTP requests to the vulnerable script pagina.phtml, specifically targeting the explode_tree parameter with SQL injection payloads.'}, {'type': 'paragraph', 'content': 'A proof-of-concept payload to test the vulnerability is:'}, {'type': 'list_item', 'content': "pagina.phtml?explode_tree=-1'/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/ database()),0x3a7333783075))--+-"}, {'type': 'paragraph', 'content': 'You can use tools like curl or wget to send this request and observe if the response contains database error messages or extracted database names, indicating the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, Google dork queries such as inurl:"/pagina.phtml?explode_tree" can help identify potentially vulnerable instances on the internet.'}] [2]


How can this vulnerability impact me? :

This vulnerability can allow attackers to perform unauthorized SQL queries on the backend database of the microASP Portal+ CMS.

As a result, attackers may extract sensitive database information, potentially leading to data disclosure.

Such unauthorized access could also lead to further compromise of the CMS, affecting the integrity and confidentiality of the system.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart