{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25693", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-05T15:33:50.051Z", "datePublished": "2026-04-12T12:28:46.757Z", "dateUpdated": "2026-04-12T12:28:46.757Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-12T12:28:46.757Z"}, "datePublic": "2019-01-28T00:00:00.000Z", "title": "ResourceSpace 8.6 SQL Injection via collection_edit.php", "descriptions": [{"lang": "en", "value": "ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "affected": [{"vendor": "Resourcespace", "product": "ResourceSpace", "versions": [{"version": "Stable release: 8.6", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46274", "name": "ExploitDB-46274", "tags": ["exploit"]}, {"url": "https://www.resourcespace.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://www.resourcespace.com/get", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: ResourceSpace 8.6 SQL Injection via collection_edit.php", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/resourcespace-sql-injection-via-collection-edit-php"}], "credits": [{"lang": "en", "value": "dd_ (info@malicious.group)", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data."}], "id": "CVE-2019-25693", "lastModified": "2026-04-12T13:16:32.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-12T13:16:32.270", "references": [{"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/46274"}, {"source": "disclosure@vulncheck.com", "url": "https://www.resourcespace.com/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.resourcespace.com/get"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/resourcespace-sql-injection-via-collection-edit-php"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Stable release: 8.6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ResourceSpace", "source": "cna", "vendor": "Resourcespace"}, "product": "resourcespace", "vendor": "resourcespace"}], "analysis": {"en": {"generated_at": "2026-04-12T14:20:41.548108+00:00", "value": {"mitigation_remediation": ["Verify whether your deployment is running ResourceSpace\u00a08.6", "Apply the latest vendor\u2011supplied patch or upgrade to a version where the issue is fixed", "If a patch is not immediately available, restrict access to collection_edit.php to trusted administrators only", "Ensure the database account used by ResourceSpace has the least privileges necessary to perform required operations"], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure via SQL Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability is specific to ResourceSpace version 8.6. No other versions are mentioned as affected, and the flaw is confined to the collection_edit.php component of that release.", "description_and_impact": "ResourceSpace 8.6 contains a flaw that allows an authenticated attacker to inject arbitrary SQL commands through the keywords field in collection_edit.php. By submitting specially crafted POST requests, an attacker can execute any database query, enabling the extraction of sensitive data such as schema names, user credentials, and other confidential information. The description clearly identifies the attack as a traditional SQL injection scenario; however, the CWE listed is 352, which normally denotes Cross\u2011Site Request Forgery, indicating a possible mis\u2011classification in the advisory.", "risk_and_exploitability": "The CVSS score of 7.1 classifies this flaw as high severity, reflecting the potential for significant data exposure once authenticated. No EPSS score is available and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting limited public exploitation evidence. Because the flaw requires an authenticated session, the risk is bounded to users who have legitimate, though possibly compromised, credentials. Once exploited, confidentiality is breached, and the ability to execute arbitrary queries could also allow data modification, affecting integrity."}}}}, "created": "2026-04-13T12:41:20.341513+00:00", "updated": "2026-04-13T12:55:59.208460+00:00", "vendors": ["resourcespace", "resourcespace$PRODUCT$resourcespace"]}