Impresscms

ImpressCMS 1.4.2 is vulnerable to remote code execution (RCE) via the autotasks administrative interface, where authenticated attackers can inject malicious PHP code into the sat_code parameter via a POST request to /modules/system/admin.php, leading to arbitrary PHP code execution through GET parameters (CVE-2021-47938).

ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability allowing authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter via POST requests to the admin.php endpoint.