Critical Blind SQL Injection Vulnerability in Pragyan CMS


Advisory by Netsparker (now Invicti)
Name: Critical Blind SQL Injection vulnerability in Pragyan CMS
Software: Pragyan CMS v3.0 and possibly below.
Vendor Homepage:
Vulnerability Type: SQL Injection
Severity: Critical
Researcher: Omar Kurt
Advisory Reference: NS-14-001


A simple and fast multiuser content management system to organize collaborative web-content. This CMS allows very fine user&group permissions, generating pages like articles, forms, quizzes, forums, etc, search powered by sphider.


Pragyan CMS is affected by Blind SQL Injection vulnerabilities in version 3.0.
Example PoC urls are as follows:

  • Blind SQL Injection'+(SELECT 1 FROM (SELECT SLEEP(25))A)+'

You can read the full article about Cross-Site Scripting and SQL Injection vulnerabilities from here: 


Vulnerability patched by Pragyan CMS developers. This vulnerability firstly reported by months ago.

Advisory Timeline

13/12/2013 – First Contact – Request Security contact
24/12/2013 – Second Contact – Sent Details
27/12/2013 – Vulnerability Fixed
29/01/2014 – Advisory Released


It has been discovered on testing of Invicti Web Application Security Scanner.

About Invicti

Invicti® can find and report security issues such as SQL Injection and Cross-site Scripting (XSS) in all web applications regardless of the platform and the technology they are built on. Invicti’s unique detection and exploitation techniques allows it to be dead accurate in reporting hence it’s the first and the only False Positive Free web application security scanner.