{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25703", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-05T15:38:20.128Z", "datePublished": "2026-04-12T12:28:50.523Z", "dateUpdated": "2026-04-13T12:08:59.239Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-12T12:28:50.523Z"}, "datePublic": "2019-01-24T00:00:00.000Z", "title": "ImpressCMS 1.3.11 SQL Injection via bid Parameter", "descriptions": [{"lang": "en", "value": "ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "affected": [{"vendor": "Impresscms", "product": "ImpressCMS", "versions": [{"version": "1.3.11", "status": "affected"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:impresscms:impresscms:1.3.11:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:impresscms:impresscms:1.4.5:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:impresscms:impresscms:1.4.2:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:impresscms:impresscms:1.4.0:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:impresscms:impresscms:1.3.10:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:impresscms:impresscms:1.3.5:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:impresscms:impresscms:1.3.6.1:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:impresscms:impresscms:1.2.3:rc2:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46239", "name": "ExploitDB-46239", "tags": ["exploit"]}, {"url": "http://www.impresscms.org/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://sourceforge.net/projects/impresscms/files/v1.3.11/impresscms_1.3.11.zip", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: ImpressCMS 1.3.11 SQL Injection via bid Parameter", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/impresscms-sql-injection-via-bid-parameter"}], "credits": [{"lang": "en", "value": "Mehmet Onder Key", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T12:08:43.431107Z", "id": "CVE-2019-25703", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:08:59.239Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "ImpressCMS 1.3.11 SQL Injection via bid Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Mehmet Onder Key"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Impresscms", "product": "ImpressCMS", "versions": [{"status": "affected", "version": "1.3.11"}]}], "datePublic": "2019-01-24T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/46239", "name": "ExploitDB-46239", "tags": ["exploit"]}, {"url": "http://www.impresscms.org/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://sourceforge.net/projects/impresscms/files/v1.3.11/impresscms_1.3.11.zip", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/impresscms-sql-injection-via-bid-parameter", "name": "VulnCheck Advisory: ImpressCMS 1.3.11 SQL Injection via bid Parameter", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:impresscms:impresscms:1.3.11:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:impresscms:impresscms:1.4.5:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:impresscms:impresscms:1.4.2:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:impresscms:impresscms:1.4.0:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:impresscms:impresscms:1.3.10:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:impresscms:impresscms:1.3.5:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:impresscms:impresscms:1.3.6.1:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:impresscms:impresscms:1.2.3:rc2:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-12T12:28:50.523Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-25703", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T12:08:43.431107Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-13T12:08:53.088Z"}}]}, "cveMetadata": {"cveId": "CVE-2019-25703", "state": "PUBLISHED", "dateUpdated": "2026-04-12T12:28:50.523Z", "dateReserved": "2026-04-05T15:38:20.128Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-12T12:28:50.523Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:impresscms:impresscms:1.3.11:*:*:*:*:*:*:*", "matchCriteriaId": "00A97C38-579D-47B0-842B-C7577169D6B6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information."}], "id": "CVE-2019-25703", "lastModified": "2026-04-17T16:51:11.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-12T13:16:33.113", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "http://www.impresscms.org/"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://sourceforge.net/projects/impresscms/files/v1.3.11/impresscms_1.3.11.zip"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46239"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/impresscms-sql-injection-via-bid-parameter"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.3.11"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "ImpressCMS", "source": "cna", "vendor": "Impresscms"}, "product": "impresscms", "vendor": "impresscms"}], "analysis": {"en": {"generated_at": "2026-04-12T14:20:26.991191+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011issued patch or upgrade to a newer, non\u2011vulnerable release of ImpressCMS.", "Restrict administrative privileges to trusted users and enforce least\u2011privilege principles.", "Implement input validation or whitelisting on the 'bid' parameter to prevent arbitrary SQL code execution.", "Monitor database activity for delayed or repeated queries that may indicate a time\u2011based injection attempt."], "summary": {"action": "Immediate Patch", "impact": "SQL injection leading to extraction of sensitive database information"}, "threat_synthesis": {"affected_systems": "All released versions of the ImpressCMS content\u2011management platform from 1.2.3 (RC2) through 1.4.5 are affected. Users who have not applied the latest patch or updated to a version excluding the vulnerable code are at risk.", "description_and_impact": "ImpressCMS 1.3.11 contains a time\u2011based blind SQL injection vulnerability in the 'bid' parameter of the admin.php script. An attacker with administrator access can send a crafted POST request that causes the database engine to execute injected SQL code, allowing the attacker to retrieve arbitrary data from the database.", "risk_and_exploitability": "The CVSS score of 7.1 indicates high severity, but no EPSS data is available, making the current exploitation likelihood uncertain. The vulnerability requires the attacker to be authenticated as an administrator, implying exploitation must occur through the web interface. Additionally, the time\u2011based blind nature of the injection means that detection may require monitoring for delayed responses. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported."}}}}, "created": "2026-04-13T12:41:15.464098+00:00", "updated": "2026-04-13T12:55:53.609553+00:00", "vendors": ["impresscms", "impresscms$PRODUCT$impresscms"]}