Plattform
php
Komponente
resourcespace
Behoben in
8.6.1
CVE-2019-25693 describes a SQL injection vulnerability discovered in ResourceSpace version 8.6. This flaw allows authenticated attackers to inject malicious SQL code through the 'keywords' parameter within the collection_edit.php file, potentially leading to unauthorized data access and manipulation. The vulnerability was published on 2026-04-12 and a fix is available in a patched version of ResourceSpace.
The SQL Injection vulnerability in ResourceSpace 8.6 poses a significant risk to data confidentiality and integrity. An attacker who can authenticate to the system can leverage this flaw to execute arbitrary SQL queries against the database. This could allow them to extract sensitive information, including database schema details, user credentials (usernames and passwords), and other confidential data stored within the ResourceSpace database. The impact extends beyond simple data retrieval; an attacker could potentially modify or delete data, or even gain control of the underlying database server, depending on the database permissions granted to the ResourceSpace application. While authentication is required, compromised user accounts could be exploited to gain access.
CVE-2019-25693 was published on 2026-04-12. There is no indication of active exploitation campaigns targeting this vulnerability at this time. Public proof-of-concept (PoC) code may exist or emerge, increasing the risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations using ResourceSpace 8.6, particularly those with sensitive data stored in their databases, are at risk. Environments with weak password policies or compromised user accounts are especially vulnerable, as an attacker could leverage these credentials to exploit the SQL injection flaw.
• php / server:
grep -r 'keywords parameter in collection_edit.php' /var/www/html/• generic web:
curl -X POST -d "keywords='; DROP TABLE users;--" http://your-resourcespace-instance/collection_edit.php | grep -i 'error in your query'disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2019-25693 is to upgrade to a patched version of ResourceSpace that addresses this vulnerability. If immediate upgrading is not possible, consider implementing temporary workarounds. Input validation and sanitization on the 'keywords' parameter in collection_edit.php can help prevent malicious SQL code from being injected. Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts can provide an additional layer of protection. Regularly review and restrict database user permissions to minimize the potential impact of a successful attack. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple SQL query through the keywords parameter and verifying that it is properly sanitized.
Aktualisieren Sie ResourceSpace auf eine korrigierte Version. Konsultieren Sie die offizielle ResourceSpace-Dokumentation oder deren Webseite für spezifische Anweisungen, wie Sie aktualisieren und Sicherheits-Patches anwenden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-25693 is a SQL injection vulnerability in ResourceSpace 8.6 that allows authenticated attackers to execute SQL queries through the keywords parameter, potentially exposing sensitive data.
If you are running ResourceSpace version 8.6 and have not applied a patch, you are potentially affected by this vulnerability. Authentication is required to exploit it.
Upgrade ResourceSpace to a patched version that addresses the SQL injection vulnerability. Input validation and WAF rules can provide temporary mitigation.
There is currently no widespread evidence of active exploitation of CVE-2019-25693, but it remains a significant risk.
Refer to the ResourceSpace security advisories page for the latest information and updates regarding CVE-2019-25693.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.