CVE-2019-25662
SQL Injection in ResourceSpace 8.6 Allows Data Extraction
Publication date: 2026-04-05
Last updated on: 2026-04-14
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| montala | resourcespace | to 8.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter.
Attackers can send specially crafted GET requests to the watched_searches.php endpoint with SQL payloads to extract sensitive database information such as usernames and credentials.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive database information including usernames and credentials.
Because attackers can execute arbitrary SQL queries without authentication, they may compromise confidentiality by extracting sensitive data.