CVE-2019-25703
Time-Based Blind SQL Injection in ImpressCMS 1.3.11 Admin Panel
Publication date: 2026-04-12
Last updated on: 2026-04-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| impresscms | impresscms | 1.3.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25703 is a time-based blind SQL injection vulnerability found in ImpressCMS version 1.3.11 and earlier. It allows authenticated attackers to inject malicious SQL code through the 'bid' parameter in POST requests sent to the admin.php endpoint.
By exploiting this vulnerability, attackers can manipulate database queries and extract sensitive information from the database without direct visibility of the data, using time delays to infer the results of their injected queries.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with low privileges and no user interaction to extract sensitive database information by manipulating SQL queries.
- Attackers can gain unauthorized access to sensitive data stored in the database.
- The confidentiality of the system's data is highly impacted.
- The integrity of the data is only slightly affected, and availability is not impacted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted POST requests to the admin.php endpoint with the 'bid' parameter containing SQL injection payloads that induce a time delay, confirming the presence of a time-based blind SQL injection.
For example, you can test the vulnerability by sending a POST request with a payload like: bid=12') AND SLEEP(5) AND ('Bjhx'='Bjhx
If the server response is delayed by the sleep time (e.g., 5 seconds), it indicates the presence of the SQL injection vulnerability.
A sample curl command to test this might be:
- curl -X POST -d "bid=12') AND SLEEP(5) AND ('Bjhx'='Bjhx" http://yourserver/impress/modules/system/admin.php
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the admin.php endpoint to trusted and authenticated users only, as the vulnerability requires authentication.
Additionally, applying input validation and sanitization on the 'bid' parameter to prevent SQL injection is critical.
If available, update ImpressCMS to a version that patches this vulnerability or apply any official security patches.
Monitoring and logging suspicious POST requests to the admin.php endpoint can also help detect exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers to perform time-based blind SQL injection via the 'bid' parameter, enabling them to extract sensitive information from the database.
Such unauthorized access to sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which mandate the protection of personal and sensitive information.
Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to potential data breaches and unauthorized data disclosure.