CVE-2019-25703

EUVD-2019-20134
ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
Affected Products (NVD)
VendorProductVersion
impresscmsimpresscms
1.3.11
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.impresscms.org/
https://sourceforge.net/projects/impresscms/files/v1.3.11/impresscms_1.3.11.zip
https://www.exploit-db.com/exploits/46239
https://www.vulncheck.com/advisories/impresscms-sql-injection-via-bid-parameter