CVE-2019-25703
Received Received - Intake
Time-Based Blind SQL Injection in ImpressCMS 1.3.11 Admin Panel

Publication date: 2026-04-12

Last updated on: 2026-04-17

Assigner: VulnCheck

Description
ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-12
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-12
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25703
EUVD
EUVD-2019-20134
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
impresscms impresscms 1.3.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25703 is a time-based blind SQL injection vulnerability found in ImpressCMS version 1.3.11 and earlier. It allows authenticated attackers to inject malicious SQL code through the 'bid' parameter in POST requests sent to the admin.php endpoint.

By exploiting this vulnerability, attackers can manipulate database queries and extract sensitive information from the database without direct visibility of the data, using time delays to infer the results of their injected queries.

Impact Analysis

This vulnerability can allow an attacker with low privileges and no user interaction to extract sensitive database information by manipulating SQL queries.

  • Attackers can gain unauthorized access to sensitive data stored in the database.
  • The confidentiality of the system's data is highly impacted.
  • The integrity of the data is only slightly affected, and availability is not impacted.
Detection Guidance

This vulnerability can be detected by sending specially crafted POST requests to the admin.php endpoint with the 'bid' parameter containing SQL injection payloads that induce a time delay, confirming the presence of a time-based blind SQL injection.

For example, you can test the vulnerability by sending a POST request with a payload like: bid=12') AND SLEEP(5) AND ('Bjhx'='Bjhx

If the server response is delayed by the sleep time (e.g., 5 seconds), it indicates the presence of the SQL injection vulnerability.

A sample curl command to test this might be:

  • curl -X POST -d "bid=12') AND SLEEP(5) AND ('Bjhx'='Bjhx" http://yourserver/impress/modules/system/admin.php
Mitigation Strategies

Immediate mitigation steps include restricting access to the admin.php endpoint to trusted and authenticated users only, as the vulnerability requires authentication.

Additionally, applying input validation and sanitization on the 'bid' parameter to prevent SQL injection is critical.

If available, update ImpressCMS to a version that patches this vulnerability or apply any official security patches.

Monitoring and logging suspicious POST requests to the admin.php endpoint can also help detect exploitation attempts.

Compliance Impact

The vulnerability allows authenticated attackers to perform time-based blind SQL injection via the 'bid' parameter, enabling them to extract sensitive information from the database.

Such unauthorized access to sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which mandate the protection of personal and sensitive information.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to potential data breaches and unauthorized data disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25703. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart