CVE-2021-47938
ImpressCMS Remote Code Execution via Autotasks Interface
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| impresscms | impresscms | 1.4.2 |
| impresscms | impresscms | to 1.4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47938 is a high-severity remote code execution vulnerability in ImpressCMS version 1.4.2 and earlier. It exists in the autotasks administrative interface, where authenticated attackers can inject malicious PHP code into the sat_code parameter.
By authenticating and submitting a specially crafted POST request to the endpoint /modules/system/admin.php?fct=autotasks&op=mod, attackers can create an executable file that accepts arbitrary commands via GET parameters, allowing them to execute arbitrary PHP code remotely.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary PHP code on the affected ImpressCMS server remotely. This can lead to full remote code execution, potentially compromising the entire system.
- Attackers could gain unauthorized control over the server.
- Sensitive data stored on the server could be accessed or modified.
- The integrity and availability of the website and its data could be severely impacted.
- Attackers might use the compromised server to launch further attacks or distribute malware.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for authenticated POST requests to the endpoint /modules/system/admin.php with parameters fct=autotasks and op=mod, especially those containing suspicious or crafted PHP code in the sat_code parameter.
You can use network monitoring or web server logs to identify such requests. For example, using grep on web server logs to find POST requests to the vulnerable endpoint:
- grep 'POST /modules/system/admin.php?fct=autotasks&op=mod' /var/log/apache2/access.log
Additionally, inspecting the content of the sat_code parameter in POST requests for suspicious PHP code injections can help detect exploitation attempts.
On the system, look for unexpected executable files created by the attacker that accept arbitrary commands via GET parameters, which may indicate successful exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the autotasks administrative interface to trusted users only, ensuring that only authenticated and authorized personnel can reach the vulnerable endpoint.
Apply any available patches or updates from ImpressCMS that address this vulnerability.
Monitor and block suspicious POST requests to /modules/system/admin.php?fct=autotasks&op=mod, especially those containing the sat_code parameter.
Review and remove any unauthorized executable files created by exploitation attempts.
Consider implementing web application firewall (WAF) rules to detect and block attempts to inject PHP code via the sat_code parameter.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2021-47938 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.