CVE-2021-26599 Scanner

CVE-2021-26599 Scanner - SQL Injection vulnerability in ImpressCMS

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

8 days 8 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

ImpressCMS is a content management system widely used by web developers and organizations to create and manage dynamic websites and online communities. It is an open-source platform designed for ease of use and extensibility, supporting modules and themes to customize user experience. ImpressCMS is employed by webmasters seeking flexible CMS solutions for blogs, portals, and social networking sites. The software is maintained by an active community of developers who provide updates and security patches to improve its functionality and protect users. The version vulnerable to this issue is any release before 1.4.3, which is advised to be upgraded promptly.

This vulnerability is a SQL Injection flaw, which allows an attacker to manipulate database queries executed by the software. It exists in the groups parameter of the include/findusers.php endpoint, which does not properly sanitize user input before incorporating it into SQL commands. An unauthenticated attacker can exploit this to inject arbitrary SQL code, potentially gaining access to sensitive data, modifying database contents, or causing denial of service. The exploit can be triggered remotely, without any credentials, increasing its severity. Due to the critical impact on confidentiality, integrity, and availability, this vulnerability requires immediate attention.

Technically, the vulnerability occurs because the groups parameter in the POST request to include/findusers.php is concatenated directly into SQL statements without sufficient validation or parameterization. The vulnerable endpoint accepts an array of group IDs, but crafted payloads using SQL syntax such as OR SLEEP(7) allow the attacker to test and exploit the injection. The vulnerability can be verified by measuring response delay and the presence of expected response data indicating successful query execution. The improper handling of this parameter creates a direct pathway for SQL commands to be executed on the backend database.

If exploited, attackers may gain unauthorized access to sensitive user information stored in the database, manipulate or delete data, and disrupt normal operations of the website. This could lead to site defacement, user data leakage, or full compromise of the web application backend. Attackers could also use the vulnerability to perform further lateral attacks or escalate privileges within the hosting environment. The high severity rating reflects the potential for widespread damage and data loss.

REFERENCES

Get started to protecting your digital assets