CVE-2021-41765
CRITICALResourceSpace 9.5-9.6 < rev 18274 - Unauthenticated SQL Injection via k Parameter
Title source: llmDescription
A SQL injection issue in pages/edit_fields/9_ajax/add_keyword.php of ResourceSpace 9.5 and 9.6 < rev 18274 allows remote unauthenticated attackers to execute arbitrary SQL commands via the k parameter. This allows attackers to uncover the full contents of the ResourceSpace database, including user session cookies. An attacker who gets an admin user session cookie can use the session cookie to execute arbitrary code on the server.
References (2)
Core 2
Core References
Broken Link, Vendor Advisory x_refsource_misc
http://svn.resourcespace.com/svn/rs/releases/9.6/pages/edit_fields/9_ajax/add_keyword.php
Exploit, Third Party Advisory x_refsource_misc
https://www.horizon3.ai/multiple-vulnerabilities-in-resourcespace/
Scores
CVSS v3
9.8
EPSS
0.6784
EPSS Percentile
99.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (2)
montala/resourcespace
9.5
montala/resourcespace
9.6
Published
Nov 15, 2021
Tracked Since
Feb 18, 2026