Platform
php
Component
impresscms
Fixed in
1.3.12
CVE-2019-25703 describes a time-based blind SQL injection vulnerability discovered in ImpressCMS versions 1.3.11. This flaw allows authenticated attackers to manipulate database queries by injecting malicious SQL code through the 'bid' parameter within the admin.php endpoint. Successful exploitation could lead to unauthorized access and exfiltration of sensitive data, impacting website integrity and user privacy.
An attacker exploiting CVE-2019-25703 can leverage the SQL injection vulnerability to extract sensitive data stored within the ImpressCMS database. This includes user credentials (usernames and passwords), administrative details, and potentially other confidential information related to the website's content and configuration. The time-based nature of the injection means data extraction is slower, but still feasible. Lateral movement within the compromised system is possible if the attacker gains access to administrative accounts. The blast radius extends to all data stored within the ImpressCMS database, potentially exposing the entire website and its users to significant risk.
CVE-2019-25703 was published on April 12, 2026. The vulnerability's severity is rated HIGH with a CVSS score of 7.1. Public proof-of-concept (POC) code may exist, increasing the risk of exploitation. The vulnerability requires authentication, limiting the initial attack surface, but once authenticated, the impact can be significant. No information is available regarding active campaigns targeting this specific vulnerability at this time.
Exploit Status
EPSS
0.05% (16% percentile)
CVSS Vector
The primary mitigation for CVE-2019-25703 is to upgrade to a patched version of ImpressCMS as soon as one becomes available. Until a patch is released, restrict access to the admin.php endpoint to authorized users only. Implement strict input validation on the 'bid' parameter, ensuring that only expected data types and formats are accepted. Consider using a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious requests. Regularly review and audit database access logs for suspicious activity.
Actualice ImpressCMS a una versión corregida. Verifique el sitio web oficial de ImpressCMS o los foros de la comunidad para obtener instrucciones específicas de actualización y parches de seguridad. Asegúrese de que todas las entradas de usuario se validen y escapen adecuadamente para prevenir futuras inyecciones SQL.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25703 is a SQL Injection vulnerability affecting ImpressCMS version 1.3.11. It allows authenticated attackers to extract sensitive database information by manipulating SQL queries through the 'bid' parameter in the admin.php endpoint.
You are affected if you are running ImpressCMS version 1.3.11. Check your installation version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of ImpressCMS. Until a patch is available, restrict access to admin.php and implement strict input validation on the 'bid' parameter.
While no active campaigns are currently known, the availability of public proof-of-concept code increases the risk of exploitation. Continuous monitoring and mitigation are recommended.
Refer to the official ImpressCMS website and security advisories for updates and patches related to CVE-2019-25703. Check their forums and mailing lists for announcements.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.