CVE-2019-25366

Vulnerability

CVE-2019-25366 is an unauthenticated SQL injection vulnerability in microASP Portal+ CMS. The flaw resides in the explode_tree parameter processed by pagina.phtml. An attacker can inject malicious SQL code using functions like extractvalue and concat to extract data from the database. The vendor site is http://www.microasp.it/ and the exploit was published on Exploit-DB [1].

Exploitation

Exploitation requires no authentication; an attacker only needs to send a crafted HTTP request to a vulnerable endpoint. A publicly available proof-of-concept demonstrates how to retrieve the current database name by injecting a payload into the explode_tree parameter. The attack can be performed over standard HTTP or HTTPS [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries, leading to potential disclosure of sensitive database contents such as user credentials or application data. The CVSS v3 score is 8.2 (High), indicating significant risk.

Mitigation

No official patch or vendor advisory has been identified. Since the original exploit dates back to 2019, users should assume the software is end-of-life and migrate to a supported alternative. No workaround is known [1].