CVE-2019-25693
Published: 12 April 2026
Summary
CVE-2019-25693 is a high-severity CSRF (CWE-352) vulnerability in Montala Resourcespace. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25693 is an SQL injection vulnerability in ResourceSpace version 8.6. The issue affects the collection_edit.php component, where attackers can inject malicious SQL code through the keywords parameter in POST requests, enabling execution of arbitrary SQL queries.
Authenticated attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows extraction of sensitive database information, including schema names, user credentials, and other confidential data. The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), reflecting high confidentiality impact with low integrity impact and no availability impact. Associated CWEs are CWE-352 and CWE-89.
Advisories and related resources include a public exploit at https://www.exploit-db.com/exploits/46274, a VulnCheck advisory at https://www.vulncheck.com/advisories/resourcespace-sql-injection-via-collection-edit-php, and vendor pages at https://www.resourcespace.com/ and https://www.resourcespace.com/get. The CVE was published on 2026-04-12T13:16:32.270.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-20128
Vulnerability details
ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to…
more
extract sensitive database information including schema names, user credentials, and other confidential data.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web app directly matches T1190 exploitation of public-facing application; enables DB credential extraction matching T1552 Unsecured Credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection attacks by requiring validation of the keywords parameter in collection_edit.php before incorporation into SQL queries.
Remediates the specific SQL injection flaw in ResourceSpace 8.6's collection_edit.php through timely identification, reporting, and correction.
Enforces restrictions on the keywords parameter at the application boundary to block malicious SQL payloads in POST requests.