CVE-2019-25662: ResourceSpace 8.6 Unauthenticated SQL Injection
A SQL injection vulnerability tracked as CVE-2019-25662 has been disclosed in ResourceSpace 8.6, a widely deployed open-source Digital Asset Management (DAM) platform. The flaw allows unauthenticated remote attackers to execute arbitrary SQL queries against the backend database by injecting malicious input through the ref parameter on the watched_searches.php endpoint.
The vulnerability carries a CVSS 3.1 score of 8.2 (High) and a CVSS 4.0 score of 8.8 (High). No official patch information is currently documented in the NVD advisory, and a proof-of-concept exploit has been published on Exploit-DB.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2019-25662 |
| CVSS 3.1 Score | 8.2 (High) |
| CVSS 4.0 Score | 8.8 (High) |
| CWE Classification | CWE-89 — SQL Injection |
| Affected Product | ResourceSpace 8.6 |
| Vulnerable Endpoint | /watched_searches.php |
| Vulnerable Parameter | ref (GET parameter) |
| Authentication Required | None |
| Attack Vector | Network (unauthenticated remote) |
| Patch Available | Not documented |
| Published (NVD) | April 5, 2026 |
Technical Details
ResourceSpace 8.6's watched_searches.php endpoint accepts a ref GET parameter that is passed directly into a SQL query without adequate sanitization or parameterization. An attacker can craft a GET request with a malicious ref value to manipulate the underlying SQL logic.
Proof-of-Concept Request
GET /watched_searches.php?ref=1%20OR%201=1-- HTTP/1.1
Host: target.example.comVulnerable Query Pattern
-- Intended query
SELECT * FROM watched_searches WHERE ref = '1';
-- After injection
SELECT * FROM watched_searches WHERE ref = '1 OR 1=1--';
-- Returns ALL rows; authentication bypass achievedThe injection point enables attackers to:
- Extract usernames and password hashes stored in the ResourceSpace database
- Enumerate database schema to identify additional tables and sensitive records
- Potentially read arbitrary data depending on database user permissions
Because the vulnerability requires no authentication, it is exploitable by any network-accessible attacker without credentials.
Attack Scenario
1. Attacker identifies a ResourceSpace 8.6 instance exposed to the network
2. Attacker sends a crafted GET request to /watched_searches.php with
a malicious ref parameter value containing SQL injection payload
3. The application passes the unsanitized input directly into a SQL query
4. The database executes the injected SQL, returning sensitive rows
5. Attacker extracts usernames, email addresses, and password hashes
6. Attacker uses extracted credentials for further access (account takeover,
lateral movement, or credential stuffing against other services)Impact Assessment
| Impact Area | Detail |
|---|---|
| Confidentiality | High — credential and PII exposure |
| Integrity | Potentially impacted depending on DB permissions |
| Availability | Not directly impacted by this vector |
| Authentication Bypass | No credentials required to exploit |
| Exploit Availability | PoC published on Exploit-DB |
| Lateral Movement Risk | Exposed credentials may enable further network access |
ResourceSpace is used extensively by enterprises, media organizations, and educational institutions to manage digital assets such as images, documents, and multimedia files. Compromise of the backend database could expose sensitive internal assets and user account data.
Remediation
Immediate Actions
-
Upgrade ResourceSpace to a version that addresses this vulnerability. Consult the ResourceSpace changelog for the relevant patch release.
-
Restrict network access to the ResourceSpace instance — if it does not require public internet exposure, place it behind a VPN or firewall rule that limits access to authorized internal networks only.
-
Audit database accounts used by ResourceSpace. Apply the principle of least privilege — the web application's DB user should not have excessive permissions (e.g.,
SUPER,FILE, orDROP). -
Review access logs for anomalous requests to
watched_searches.php, particularly those containing SQL metacharacters (',--,OR,UNION).
Detection
Monitor web server access logs for suspicious patterns targeting the vulnerable endpoint:
# Detect potential SQL injection attempts in access logs
grep "watched_searches.php" /var/log/nginx/access.log | \
grep -iE "(union|select|or\s+1|--|%27|%3B)"Key Takeaways
- CVE-2019-25662 affects ResourceSpace 8.6 with an unauthenticated SQL injection in
watched_searches.php - CVSS 8.2 (High) — exploitable without credentials from any network-accessible attacker
- No patch is currently documented — operators should restrict access and investigate upgrade paths immediately
- Proof-of-concept is publicly available on Exploit-DB, lowering the barrier for exploitation
- Audit database privileges and review access logs for suspicious query patterns