CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2021-41765

A SQL injection issue in pages/edit_fields/9_ajax/add_keyword.php of ResourceSpace 9.5 and 9.6 < rev 18274 allows remote unauthenticated attackers to execute arbitrary SQL commands via the k parameter. This allows attackers to uncover the full contents of the ResourceSpace database, including user session cookies. An attacker who gets an admin user session cookie can use the session cookie to execute arbitrary code on the server.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.361

EPSS Ranking 97.0%

CVSS Severity

CVSS v3 Score 9.8

CVSS v2 Score 7.5

References

http://svn.resourcespace.com/svn/rs/releases/9.6/pages/edit_fields/9_ajax/add_keyword.php
https://www.horizon3.ai/multiple-vulnerabilities-in-resourcespace/
http://svn.resourcespace.com/svn/rs/releases/9.6/pages/edit_fields/9_ajax/add_keyword.php
https://www.horizon3.ai/multiple-vulnerabilities-in-resourcespace/

Products affected by CVE-2021-41765

Montala » Resourcespace » Version: 9.5

cpe:2.3:a:montala:resourcespace:9.5
Montala » Resourcespace » Version: 9.6

cpe:2.3:a:montala:resourcespace:9.6

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2021-41765

Products

Pricing

Contact Us