CVE-2019-25693
Received Received - Intake
SQL Injection in ResourceSpace 8.6 Allows Data Extraction

Publication date: 2026-04-12

Last updated on: 2026-04-17

Assigner: VulnCheck

Description
ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-12
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-12
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25693
EUVD
EUVD-2019-20128
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
montala resourcespace 8.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25693 is a SQL injection vulnerability in ResourceSpace version 8.6 that affects the collection_edit.php page. Authenticated attackers can exploit this vulnerability by injecting malicious SQL code through the 'keywords' POST parameter.

This injection allows attackers to execute arbitrary SQL queries on the backend MySQL database, enabling them to extract sensitive information such as database schema names, user credentials, and other confidential data.

The attack techniques include boolean-based blind, error-based, and time-based blind SQL injection methods, which manipulate the database responses to infer or extract data.

Impact Analysis

This vulnerability can have serious impacts including unauthorized disclosure of sensitive database information such as schema details and user credentials.

Attackers can leverage this flaw to gain deeper access into the backend database, potentially leading to further compromise of the application and exposure of confidential data.

Because the vulnerability allows execution of arbitrary SQL queries, it can also be used to manipulate or corrupt data, disrupt application functionality, or escalate privileges within the system.

Detection Guidance

This SQL injection vulnerability can be detected by testing the vulnerable endpoint `collection_edit.php` with crafted POST requests targeting the `keywords` parameter.

A practical approach is to use automated tools like sqlmap to detect and exploit the vulnerability by sending specially crafted payloads.

  • Use sqlmap with the following example command to test the vulnerability:
  • sqlmap -u "http://localhost/pages/collection_edit.php" --data="keywords=TEST&CSRFToken=token&redirect=&ref=&submitted=1&name=test&copy=0&save=Save&public=0&autocomplete_parameter=&users=" -p keywords --dbms=mysql --level=5 --risk=3 --technique=ETB

This command targets the `keywords` POST parameter using error-based, time-based, and boolean-based SQL injection techniques to confirm the presence of the vulnerability and enumerate database information.

Compliance Impact

The SQL injection vulnerability in ResourceSpace 8.6 allows attackers to extract sensitive database information such as schema names, user credentials, and other confidential data. This exposure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and confidential information.

ResourceSpace as a platform supports enterprise-grade security features including GDPR compliance, encryption, audit trails, and precise privacy controls to ensure data privacy and regulatory adherence. However, the presence of this vulnerability undermines these protections by enabling unauthorized data access.

Therefore, exploitation of this vulnerability could result in breaches of regulatory requirements related to data confidentiality, integrity, and access control, potentially leading to legal and financial consequences for organizations using the affected software.

Mitigation Strategies

To mitigate the SQL injection vulnerability in ResourceSpace 8.6, immediate steps include restricting access to the vulnerable endpoint (collection_edit.php) to only trusted authenticated users with minimal privileges.

Ensure that user input, especially the 'keywords' POST parameter, is properly sanitized and validated to prevent injection of malicious SQL code.

Apply any available patches or updates from ResourceSpace or Montala Limited that address this vulnerability.

Monitor logs for suspicious POST requests targeting the 'keywords' parameter and consider implementing Web Application Firewall (WAF) rules to block SQL injection attempts.

Limit database user privileges to the minimum necessary to reduce the impact of a potential exploit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25693. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart