CVE-2021-26599: 
PHP vulnerability analysis and mitigation

CVE-2021-26599 affects ImpressCMS versions 1.4.3 and earlier, specifically in the /include/findusers.php script. The vulnerability was discovered in January 2021 and publicly disclosed in March 2022 after the release of version 1.4.4 which contained the fix (Karma Security, Full Disclosure).

The vulnerability exists in the /include/findusers.php script where user input passed through the "groups" POST parameter is not properly sanitized before being used in the icms_member_Handler::getUserCountByGroupLink() and icms_member_Handler::getUsersByGroupLink() methods. These methods use the unsanitized input to construct SQL queries, making them vulnerable to SQL injection attacks. The application allows for stacked SQL queries, increasing the severity of the vulnerability (Karma Security).

The vulnerability allows remote attackers to read sensitive data from the "users" database table through boolean-based SQL injection attacks. Due to the application's support for stacked SQL queries, attackers could potentially create new admin users and execute arbitrary PHP code (Karma Security, Full Disclosure).

Users should upgrade to ImpressCMS version 1.4.4 or later to address this vulnerability. It's worth noting that version 1.4.3 was released with an ineffective fix, making it necessary to upgrade to version 1.4.4 for complete remediation (Karma Security).