CVE-2019-25693
SQL Injection in ResourceSpace 8.6 Allows Data Extraction
Publication date: 2026-04-12
Last updated on: 2026-04-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| montala | resourcespace | 8.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25693 is a SQL injection vulnerability in ResourceSpace version 8.6 that affects the collection_edit.php page. Authenticated attackers can exploit this vulnerability by injecting malicious SQL code through the 'keywords' POST parameter.
This injection allows attackers to execute arbitrary SQL queries on the backend MySQL database, enabling them to extract sensitive information such as database schema names, user credentials, and other confidential data.
The attack techniques include boolean-based blind, error-based, and time-based blind SQL injection methods, which manipulate the database responses to infer or extract data.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized disclosure of sensitive database information such as schema details and user credentials.
Attackers can leverage this flaw to gain deeper access into the backend database, potentially leading to further compromise of the application and exposure of confidential data.
Because the vulnerability allows execution of arbitrary SQL queries, it can also be used to manipulate or corrupt data, disrupt application functionality, or escalate privileges within the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by testing the vulnerable endpoint `collection_edit.php` with crafted POST requests targeting the `keywords` parameter.
A practical approach is to use automated tools like sqlmap to detect and exploit the vulnerability by sending specially crafted payloads.
- Use sqlmap with the following example command to test the vulnerability:
- sqlmap -u "http://localhost/pages/collection_edit.php" --data="keywords=TEST&CSRFToken=token&redirect=&ref=&submitted=1&name=test©=0&save=Save&public=0&autocomplete_parameter=&users=" -p keywords --dbms=mysql --level=5 --risk=3 --technique=ETB
This command targets the `keywords` POST parameter using error-based, time-based, and boolean-based SQL injection techniques to confirm the presence of the vulnerability and enumerate database information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in ResourceSpace 8.6 allows attackers to extract sensitive database information such as schema names, user credentials, and other confidential data. This exposure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and confidential information.
ResourceSpace as a platform supports enterprise-grade security features including GDPR compliance, encryption, audit trails, and precise privacy controls to ensure data privacy and regulatory adherence. However, the presence of this vulnerability undermines these protections by enabling unauthorized data access.
Therefore, exploitation of this vulnerability could result in breaches of regulatory requirements related to data confidentiality, integrity, and access control, potentially leading to legal and financial consequences for organizations using the affected software.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL injection vulnerability in ResourceSpace 8.6, immediate steps include restricting access to the vulnerable endpoint (collection_edit.php) to only trusted authenticated users with minimal privileges.
Ensure that user input, especially the 'keywords' POST parameter, is properly sanitized and validated to prevent injection of malicious SQL code.
Apply any available patches or updates from ResourceSpace or Montala Limited that address this vulnerability.
Monitor logs for suspicious POST requests targeting the 'keywords' parameter and consider implementing Web Application Firewall (WAF) rules to block SQL injection attempts.
Limit database user privileges to the minimum necessary to reduce the impact of a potential exploit.