CVE-2024-25288 identifies a SQL Injection vulnerability in SLIMS (Senayan Library Management Systems) 9 Bulian version 9.6.1, specifically within the pop-scope-vocabolary.php script. This vulnerability arises from improper sanitization of user-supplied input, allowing an attacker with authenticated high privileges to inject arbitrary SQL commands. The CVSS 3.1 base score is 4.9 (medium), reflecting that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), but necessitates privileges (PR:H) and no user interaction (UI:N). The impact is limited to confidentiality (C:H), with no direct effect on integrity or availability. Exploiting this vulnerability could enable unauthorized disclosure of sensitive data stored in the backend database, such as user credentials, library records, or administrative information. Although no public exploits or patches are currently available, the presence of this vulnerability in a widely used open-source library management system poses a risk to institutions relying on SLIMS for cataloging and circulation management. The vulnerability is categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), a common and well-understood class of injection flaws. The lack of patches necessitates interim mitigations to prevent exploitation until an official fix is released.

The primary impact of CVE-2024-25288 is the potential unauthorized disclosure of sensitive information from the SLIMS database due to SQL Injection. This can compromise confidentiality of user data, library records, and administrative credentials. While the vulnerability does not affect data integrity or system availability directly, the exposure of confidential data can lead to further attacks, including privilege escalation or targeted phishing. Organizations worldwide using SLIMS 9.6.1 in academic, public, or private library environments face risks of data breaches. Given the requirement for high privileges to exploit, insider threats or compromised administrative accounts pose the greatest risk. The absence of known exploits reduces immediate threat but does not eliminate risk, especially as attackers may develop exploits over time. The impact is magnified in environments where SLIMS is integrated with other institutional systems or contains personally identifiable information (PII).

1. Immediately restrict access to the pop-scope-vocabolary.php script to only trusted administrative users and trusted network segments. 2. Implement strict input validation and sanitization on all parameters accepted by the vulnerable script, using allowlists or prepared statements where possible. 3. Monitor database logs and application logs for unusual or suspicious SQL queries that may indicate attempted injection attacks. 4. Enforce the principle of least privilege by reviewing and limiting user roles and permissions, ensuring that only necessary users have high-level privileges. 5. Isolate the SLIMS installation within a segmented network zone to reduce exposure. 6. Regularly back up the database and verify backup integrity to prepare for potential incident recovery. 7. Engage with the SLIMS community or vendor for updates and patches addressing this vulnerability. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL Injection attempts targeting the vulnerable endpoint. 9. Educate administrators on the risks of SQL Injection and the importance of credential security to prevent privilege misuse.