CVE-2019-25662

HIGH

ResourceSpace 8.6 SQL Injection via watched_searches.php

Title source: cna

Description

ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Attackers can send GET requests to the watched_searches.php endpoint with crafted SQL payloads to extract sensitive database information including usernames and credentials.

Exploits (1)

exploitdb WORKING POC

by dd_ · textwebappsphp

https://www.exploit-db.com/exploits/46308

View Code ZIP pw:eip

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-46308

https://www.exploit-db.com/exploits/46308

Product product

Official Product Homepage

https://www.resourcespace.com/

Product product

Product Reference

https://www.resourcespace.com/get

Third Party Advisory third-party-advisory

VulnCheck Advisory: ResourceSpace 8.6 SQL Injection via watched_searches.php

https://www.vulncheck.com/advisories/resourcespace-sql-injection-via-watched-searches-php

Scores

CVSS v3 8.2

EPSS 0.0009

EPSS Percentile 24.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

montala/resourcespace < 8.6

Montala/ResourceSpace 8.6

Published Apr 05, 2026

Tracked Since Apr 06, 2026