Montala
Products
1- 4 CVEs
Recent CVEs
4| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-25662 | Hig | 0.53 | 8.2 | 0.00 | Apr 5, 2026 | ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Attackers can send GET requests to the watched_searches.php endpoint with crafted SQL payloads to extract sensitive database information including usernames and credentials. | |
| CVE-2019-25693 | Hig | 0.46 | 7.1 | 0.00 | Apr 12, 2026 | ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data. | |
| CVE-2015-3648 | 0.04 | — | 0.52 | Jun 9, 2015 | Directory traversal vulnerability in pages/setup.php in Montala Limited ResourceSpace before 7.2.6727 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the defaultlanguage parameter. | ||
| CVE-2011-4311 | 0.00 | — | 0.00 | Nov 19, 2011 | ResourceSpace before 4.2.2833 does not properly validate access keys, which allows remote attackers to bypass intended resource restrictions via unspecified vectors. |
- risk 0.53cvss 8.2epss 0.00
ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Attackers can send GET requests to the watched_searches.php endpoint with crafted SQL payloads to extract sensitive database information including usernames and credentials.
- risk 0.46cvss 7.1epss 0.00
ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data.
- CVE-2015-3648Jun 9, 2015risk 0.04cvss —epss 0.52
Directory traversal vulnerability in pages/setup.php in Montala Limited ResourceSpace before 7.2.6727 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the defaultlanguage parameter.
- CVE-2011-4311Nov 19, 2011risk 0.00cvss —epss 0.00
ResourceSpace before 4.2.2833 does not properly validate access keys, which allows remote attackers to bypass intended resource restrictions via unspecified vectors.