Montala

montala

9 CVEs • 1 product

Products (1)

Click to collapse

Toggle

CVEs (9)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-25693 1Montala 1Resourcespace Apr 17, 2026 Apr 12, 2026 7.1 HIGH· v4 7.1 HIGH· v3 N/A· v2 ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers...Show more ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data.Show less
CVE-2019-25662 1Montala 1Resourcespace Apr 14, 2026 Apr 5, 2026 8.8 HIGH· v4 7.5 HIGH· v3 N/A· v2 ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Attackers can send GET requests to...Show more ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Attackers can send GET requests to the watched_searches.php endpoint with crafted SQL payloads to extract sensitive database information including usernames and credentials.Show less
CVE-2022-31260 1Montala 1Resourcespace Nov 21, 2024 Jul 17, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 In Montala ResourceSpace through 9.8 before r19636, csv_export_results_metadata.php allows attackers to export collection metadata via a non-NULL k value.
CVE-2021-41951 1Montala 1Resourcespace Nov 21, 2024 Nov 15, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 ResourceSpace before 9.6 rev 18290 is affected by a reflected Cross-Site Scripting vulnerability in plugins/wordpress_sso/pages/index.php via the wordpress_user parameter. If an attacker is able to persuade a victim to v...Show more ResourceSpace before 9.6 rev 18290 is affected by a reflected Cross-Site Scripting vulnerability in plugins/wordpress_sso/pages/index.php via the wordpress_user parameter. If an attacker is able to persuade a victim to visit a crafted URL, malicious JavaScript content may be executed within the context of the victim's browser.Show less
CVE-2021-41950 1Montala 1Resourcespace Nov 21, 2024 Nov 15, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 A directory traversal issue in ResourceSpace 9.6 before 9.6 rev 18277 allows remote unauthenticated attackers to delete arbitrary files on the ResourceSpace server via the provider and variant parameters in pages/ajax/ti...Show more A directory traversal issue in ResourceSpace 9.6 before 9.6 rev 18277 allows remote unauthenticated attackers to delete arbitrary files on the ResourceSpace server via the provider and variant parameters in pages/ajax/tiles.php. Attackers can delete configuration or source code files, causing the application to become unavailable to all users.Show less
CVE-2021-41765 1Montala 1Resourcespace Nov 21, 2024 Nov 15, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A SQL injection issue in pages/edit_fields/9_ajax/add_keyword.php of ResourceSpace 9.5 and 9.6 < rev 18274 allows remote unauthenticated attackers to execute arbitrary SQL commands via the k parameter. This allows attack...Show more A SQL injection issue in pages/edit_fields/9_ajax/add_keyword.php of ResourceSpace 9.5 and 9.6 < rev 18274 allows remote unauthenticated attackers to execute arbitrary SQL commands via the k parameter. This allows attackers to uncover the full contents of the ResourceSpace database, including user session cookies. An attacker who gets an admin user session cookie can use the session cookie to execute arbitrary code on the server.Show less
CVE-2015-6915 1Montala 1Resourcespace May 6, 2026 Sep 11, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in Montala Limited ResourceSpace 7.3.7009 and earlier allows remote attackers to execute arbitrary SQL commands via the "user" cookie to plugins/feedback/pages/feedback.php.
CVE-2015-3648 1Montala 1Resourcespace May 6, 2026 Jun 9, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 Directory traversal vulnerability in pages/setup.php in Montala Limited ResourceSpace before 7.2.6727 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the defaultlanguage paramet...Show more Directory traversal vulnerability in pages/setup.php in Montala Limited ResourceSpace before 7.2.6727 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the defaultlanguage parameter.Show less
CVE-2011-4311 1Montala 1Resourcespace Apr 29, 2026 Nov 19, 2011 N/A· v4 N/A· v3 5.0 MEDIUM· v2 ResourceSpace before 4.2.2833 does not properly validate access keys, which allows remote attackers to bypass intended resource restrictions via unspecified vectors.