CVE-2019-25366
Received Received - Intake
SQL Injection in microASP Portal+ CMS Exposes Database Data

Publication date: 2026-02-22

Last updated on: 2026-02-22

Assigner: VulnCheck

Description
microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. Attackers can send crafted requests to pagina.phtml with SQL injection payloads using extractvalue and concat functions to extract sensitive database information like the current database name.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-22
Last Modified
2026-02-22
Generated
2026-06-16
AI Q&A
2026-02-22
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25366
EUVD
EUVD-2019-19595
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
microasp portal+ *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow attackers to perform unauthorized SQL queries on the backend database of the microASP Portal+ CMS.

As a result, attackers may extract sensitive database information, potentially leading to data disclosure.

Such unauthorized access could also lead to further compromise of the CMS, affecting the integrity and confidentiality of the system.

Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': "The microASP Portal+ CMS contains an SQL injection vulnerability in the 'explode_tree' parameter of the 'pagina.phtml' script. This flaw allows unauthenticated attackers to inject malicious SQL code because the input is not properly sanitized."}, {'type': 'paragraph', 'content': 'Attackers can send specially crafted requests that use SQL functions like extractvalue and concat to execute arbitrary SQL queries. This can be exploited to extract sensitive information from the database, such as the current database name.'}] [2]

Detection Guidance

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by sending crafted HTTP requests to the vulnerable script pagina.phtml, specifically targeting the explode_tree parameter with SQL injection payloads.'}, {'type': 'paragraph', 'content': 'A proof-of-concept payload to test the vulnerability is:'}, {'type': 'list_item', 'content': "pagina.phtml?explode_tree=-1'/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/ database()),0x3a7333783075))--+-"}, {'type': 'paragraph', 'content': 'You can use tools like curl or wget to send this request and observe if the response contains database error messages or extracted database names, indicating the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, Google dork queries such as inurl:"/pagina.phtml?explode_tree" can help identify potentially vulnerable instances on the internet.'}] [2]

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25366. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart