CVE-2025-45818 is a medium-severity SQL Injection vulnerability identified in Slims (Senayan Library Management Systems) version 9 Bulian 9.6.1, specifically within the admin/modules/master_file/item_status.php component. SQL Injection (CWE-89) vulnerabilities occur when untrusted input is improperly sanitized and directly included in SQL queries, allowing attackers to manipulate the database queries executed by the application. In this case, the vulnerability allows remote attackers to inject malicious SQL code without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The vulnerability impacts the confidentiality and integrity of the database, potentially allowing attackers to read or modify sensitive data stored in the library management system. However, availability is not affected. The CVSS score of 6.5 reflects a medium severity level, considering the ease of exploitation and the impact on confidentiality and integrity. There are no known exploits in the wild at the time of publication, and no patches or vendor advisories have been linked yet. The vulnerability was reserved on April 22, 2025, and published on May 8, 2025. Slims is an open-source library management system used primarily by libraries to manage cataloging, circulation, and other library operations. The affected module relates to item status management, which is critical for tracking the availability and condition of library materials.

For European organizations, particularly libraries, educational institutions, and cultural heritage organizations that use Slims 9.6.1, this vulnerability poses a risk of unauthorized data disclosure and data tampering. Attackers exploiting this SQL Injection could access patron records, borrowing histories, or internal administrative data, potentially leading to privacy violations and reputational damage. The integrity compromise could result in incorrect item status information, disrupting library operations and user services. Although the vulnerability does not directly impact system availability, the operational disruption and data integrity issues could indirectly affect service continuity. Given the sensitivity of personal data managed by libraries under GDPR, exploitation could also lead to regulatory compliance issues and fines. The lack of authentication requirement increases the risk, as attackers can exploit the vulnerability remotely without credentials.

Specific mitigation steps include: 1) Immediate code review and sanitization of all inputs in the admin/modules/master_file/item_status.php script to ensure proper use of parameterized queries or prepared statements to prevent SQL Injection. 2) Implement Web Application Firewall (WAF) rules to detect and block SQL Injection attempts targeting the vulnerable endpoint. 3) Restrict access to the admin interface by IP whitelisting or VPN to reduce exposure. 4) Monitor logs for unusual database query patterns or failed injection attempts. 5) If possible, upgrade to a patched version once available or apply community patches if provided. 6) Conduct security testing, including automated and manual penetration tests focusing on SQL Injection vectors in the affected module. 7) Educate administrators on secure configuration and the importance of applying updates promptly. These steps go beyond generic advice by focusing on the specific vulnerable component and operational controls to reduce attack surface until a patch is released.