Description
ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.
Published: 2026-04-12
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection leading to extraction of sensitive database information
Action: Immediate Patch
AI Analysis

Impact

ImpressCMS 1.3.11 contains a time‑based blind SQL injection vulnerability in the 'bid' parameter of the admin.php script. An attacker with administrator access can send a crafted POST request that causes the database engine to execute injected SQL code, allowing the attacker to retrieve arbitrary data from the database.

Affected Systems

All released versions of the ImpressCMS content‑management platform from 1.2.3 (RC2) through 1.4.5 are affected. Users who have not applied the latest patch or updated to a version excluding the vulnerable code are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, but no EPSS data is available, making the current exploitation likelihood uncertain. The vulnerability requires the attacker to be authenticated as an administrator, implying exploitation must occur through the web interface. Additionally, the time‑based blind nature of the injection means that detection may require monitoring for delayed responses. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported.

Generated by OpenCVE AI on April 12, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade to a newer, non‑vulnerable release of ImpressCMS.
  • Restrict administrative privileges to trusted users and enforce least‑privilege principles.
  • Implement input validation or whitelisting on the 'bid' parameter to prevent arbitrary SQL code execution.
  • Monitor database activity for delayed or repeated queries that may indicate a time‑based injection attempt.

Generated by OpenCVE AI on April 12, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 12 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.
Title ImpressCMS 1.3.11 SQL Injection via bid Parameter
First Time appeared Impresscms
Impresscms impresscms
Weaknesses CWE-89
CPEs cpe:2.3:a:impresscms:impresscms:1.2.3:rc2:*:*:*:*:*:*
cpe:2.3:a:impresscms:impresscms:1.3.10:*:*:*:*:*:*:*
cpe:2.3:a:impresscms:impresscms:1.3.11:*:*:*:*:*:*:*
cpe:2.3:a:impresscms:impresscms:1.3.5:*:*:*:*:*:*:*
cpe:2.3:a:impresscms:impresscms:1.3.6.1:*:*:*:*:*:*:*
cpe:2.3:a:impresscms:impresscms:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:impresscms:impresscms:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:impresscms:impresscms:1.4.5:*:*:*:*:*:*:*
Vendors & Products Impresscms
Impresscms impresscms
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Impresscms Impresscms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T12:08:59.239Z

Reserved: 2026-04-05T15:38:20.128Z

Link: CVE-2019-25703

cve-icon Vulnrichment

Updated: 2026-04-13T12:08:53.088Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-12T13:16:33.113

Modified: 2026-04-17T16:51:11.563

Link: CVE-2019-25703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:55:53Z

Weaknesses