Skip to main content

Pbootcms CVE-2020-19248

MEDIUM
SQL Injection (CWE-89)
2025-02-21 cve@mitre.org
5.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:27 vuln.today
PoC Detected
Apr 07, 2025 - 15:05 vuln.today
Public exploit code
CVE Published
Feb 21, 2025 - 19:15 nvd
MEDIUM 5.1

DescriptionCVE.org

SQL Injection vulnerability in PbootCMS 1.4.1 in parsing if statements in templates, resulting in a malicious user's ability to contaminate template content by searching for page contamination URLs, thus triggering vulnerabilities when the program uses eval statements to parse templates.

AnalysisAI

SQL Injection vulnerability in PbootCMS 1.4.1 in parsing if statements in templates, resulting in a malicious user's ability to contaminate template content by searching for page contamination URLs,. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. SQL Injection vulnerability in PbootCMS 1.4.1 in parsing if statements in templates, resulting in a malicious user's ability to contaminate template content by searching for page contamination URLs, thus triggering vulnerabilities when the program uses eval statements to parse templates. Affected products include: Pbootcms.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2023-39834 CRITICAL POC
9.8 Aug 24

PbootCMS below v3.2.0 was discovered to contain a command injection vulnerability via create_function. Rated critical se

CVE-2022-32417 CRITICAL POC
9.8 Jul 14

PbootCMS v3.1.2 was discovered to contain a remote code execution (RCE) vulnerability via the function parserIfLabel at

CVE-2018-19893 CRITICAL POC
9.8 Dec 06

SearchController.php in PbootCMS 1.2.1 has SQL injection via the index.php/Search/index.html query string. Rated critica

CVE-2018-19595 CRITICAL POC
9.8 Nov 27

PbootCMS V1.3.1 build 2018-11-14 allows remote attackers to execute arbitrary code via use of "eval" with mixed case, as

CVE-2018-18450 CRITICAL POC
9.8 Oct 17

apps\admin\controller\content\SingleController.php in PbootCMS before V1.3.0 build 2018-11-12 has SQL Injection, as demo

CVE-2018-11369 CRITICAL POC
9.8 May 22

An issue was discovered in PbootCMS v1.0.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab

CVE-2018-10133 CRITICAL POC
9.8 Apr 16

PbootCMS v0.9.8 allows PHP code injection via an IF label in index.php/About/6.html or admin.php/Site/index.html, relate

CVE-2025-46109 HIGH POC
8.8 Jun 18

SQL Injection vulnerability in pbootCMS versions 3.2.5 and 3.2.10 that allows unauthenticated remote attackers to execut

CVE-2018-11018 HIGH POC
8.8 May 13

An issue was discovered in PbootCMS v1.0.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2018-10132 HIGH POC
8.8 Apr 16

PbootCMS v0.9.8 has CSRF via an admin.php/Message/mod/id/19.html?backurl=/index.php request, resulting in PHP code injec

CVE-2018-18211 HIGH POC
8.1 Oct 10

PbootCMS 1.2.1 has SQL injection via the HTTP POST data to the api.php/cms/addform?fcode=1 URI. Rated high severity (CVS

CVE-2023-50082 HIGH POC
7.5 Jan 04

Aoyun Technology pbootcms V3.1.2 is vulnerable to Incorrect Access Control, allows remote attackers to gain sensitive in

Share

CVE-2020-19248 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy