The microASP Portal+ CMS is susceptible to a high-severity SQL injection attack that allows unauthenticated users to access or delete sensitive database information.

This vulnerability is a classic SQL injection flaw located in the "explode_tree" parameter. Because the application does not validate this input, an unauthenticated remote attacker can submit crafted SQL commands to be executed by the database server.

With a CVSS score of 8.2, the impact of this vulnerability is severe. An attacker could bypass all authentication mechanisms, extract the entire user database, or modify website content, leading to significant financial loss and long-term reputational damage for the organization.

Immediate Action: Update the microASP Portal+ CMS to the latest version immediately. Ensure the patch specifically addresses input validation for the explode_tree parameter.

Proactive Monitoring: Organizations should audit their database logs for any suspicious activity targeting the explode_tree parameter and review for any unauthorized administrative account creation.

Compensating Controls: Use a Web Application Firewall (WAF) to filter out SQL injection strings in GET and POST requests to the affected CMS.

Public Exploit Available: false

Because this vulnerability is unauthenticated and provides direct database access, it must be treated with the highest urgency. Immediate patching is required to secure the environment against automated exploitation attempts.