CVE-2019-25366

HIGH

microASP Portal+ CMS - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25366. PoCs published by felipe andrian.

AI-analyzed exploit summary The exploit demonstrates a SQL injection vulnerability in microASP (Portal+) CMS via the 'explode_tree' parameter. It includes a functional PoC payload that extracts the database name using MySQL-specific functions like 'extractvalue' and 'concat'.

Description

microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. Attackers can send crafted requests to pagina.phtml with SQL injection payloads using extractvalue and concat functions to extract sensitive database information like the current database name.

Exploits (1)

exploitdb WORKING POC VERIFIED
by felipe andrian · textwebappsasp
https://www.exploit-db.com/exploits/46799

The exploit demonstrates a SQL injection vulnerability in microASP (Portal+) CMS via the 'explode_tree' parameter. It includes a functional PoC payload that extracts the database name using MySQL-specific functions like 'extractvalue' and 'concat'.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: microASP (Portal+) CMS
No auth needed
Prerequisites: Target running microASP (Portal+) CMS with vulnerable endpoint exposed
devstral-2 · analyzed Feb 22, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/46799
Various Sources product
http://www.microasp.it/

Scores

CVSS v3 8.2
EPSS 0.0035
EPSS Percentile 26.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
Microasp/microASP (Portal+) CMS
Published Feb 22, 2026
Tracked Since Feb 22, 2026