CVE-2021-26599

Vulnerability

An SQL injection vulnerability exists in ImpressCMS versions 1.4.3 and earlier, located in the /include/findusers.php script. The groups POST parameter is passed unsanitized to the icms_member_Handler::getUserCountByGroupLink() and icms_member_Handler::getUsersByGroupLink() methods at lines 281 and 294, which use the input directly in SQL queries [1][4]. No special configuration or privileges are required to reach the vulnerable code path; the script is accessible to unauthenticated users.

Exploitation

A remote attacker can exploit this vulnerability by sending a crafted HTTP POST request to the /include/findusers.php endpoint with a malicious groups parameter. Because the application allows stacked SQL queries, the attacker can first inject a boolean-based payload to extract data (e.g., from the users table) or directly execute stacked statements to create a new administrative user [4]. No authentication or prior access is needed, and the attack does not require user interaction.

Impact

Successful exploitation leads to SQL injection with stacked query support. An attacker can read sensitive information from the users table (e.g., password hashes, email addresses) and, more critically, execute arbitrary SQL statements to create a new administrator account. This can ultimately result in full administrative control over the ImpressCMS site, enabling arbitrary PHP code execution and complete compromise of the CMS [4].

Mitigation

Version 1.4.4, released on 2022-03-09, fixes the vulnerability by properly sanitizing the groups input before use in SQL queries [3][4]. All users running ImpressCMS 1.4.3 or earlier should upgrade immediately to 1.4.4 or later. No workaround is available, as the vulnerable script is integral to the user management feature.