CVE-2019-25366 in Portal+ CMS
Summary
by MITRE • 02/22/2026
microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. Attackers can send crafted requests to pagina.phtml with SQL injection payloads using extractvalue and concat functions to extract sensitive database information like the current database name.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/22/2026
The CVE-2019-25366 vulnerability represents a critical SQL injection flaw within the microASP Portal+ CMS platform that exposes organizations to significant data breach risks. This vulnerability specifically affects the pagina.phtml script where the explode_tree parameter is processed without adequate input sanitization. The flaw enables unauthenticated attackers to inject malicious SQL code directly into the application's query execution flow, bypassing normal authentication mechanisms and authorization controls. The vulnerability stems from improper parameter validation and inadequate input filtering practices that allow attackers to manipulate the database interaction layer.
The technical exploitation of this vulnerability leverages SQL injection techniques that utilize the extractvalue and concat functions to extract sensitive database information without requiring valid credentials or privileged access. Attackers can craft malicious requests that manipulate the explode_tree parameter to execute arbitrary SQL commands against the underlying database system. This particular implementation allows for information disclosure attacks where the current database name and potentially other sensitive data can be extracted through carefully constructed SQL payloads. The vulnerability operates at the application layer and can be exploited through HTTP requests without requiring any prior authentication or session information.
The operational impact of CVE-2019-25366 extends beyond simple information disclosure to potentially enable complete database compromise. Attackers can leverage this vulnerability to extract user credentials, personal data, application configuration details, and other sensitive information stored within the database. The unauthenticated nature of the exploit means that any external party can access the vulnerable system without requiring legitimate credentials, making it particularly dangerous for organizations with public-facing web applications. This vulnerability directly violates security principles outlined in CWE-89, which addresses SQL injection flaws in software applications, and aligns with ATT&CK technique T1071.004 for application layer protocol manipulation.
Organizations affected by this vulnerability should implement immediate mitigations including input validation and parameterized query execution throughout the application codebase. The recommended approach involves sanitizing all user inputs, particularly parameters like explode_tree, and implementing proper SQL query parameterization to prevent malicious code injection. Network-level protections such as web application firewalls and intrusion detection systems should be configured to monitor for known SQL injection patterns. Regular security assessments and code reviews should be conducted to identify similar vulnerabilities in other application components. Additionally, implementing the principle of least privilege for database accounts and regular database access logging will help detect unauthorized access attempts and provide forensic evidence in case of successful exploitation.