Primary

Context

ImpressCMS Time-Based Blind SQL Injection Vulnerability

Vulnerability

Patched

A time-based blind SQL injection vulnerability has been identified in ImpressCMS version 1.3.11. This vulnerability allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Exploitation involves sending POST requests to the admin.php endpoint with crafted 'bid' values that include SQL commands, enabling attackers to extract sensitive information from the database.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can manipulate SQL queries and potentially access or modify database information.

Reproduction

To reproduce this vulnerability, log into an application running ImpressCMS 1.3.11. Send a POST request to the admin.php endpoint with the 'bid' parameter set to a value that includes a SQL injection payload, such as one that uses a SQL injection technique to delay the response, indicating successful exploitation.

Added: Apr 12, 2026, 1:23 PM

Updated: Apr 12, 2026, 1:23 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

3.1

exploitability

6.8

remediation

7.7

relevance

5.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

3.1

exploitability

6.8

remediation

7.7

relevance

5.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ImpressCMS Time-Based Blind SQL Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

ImpressCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating