Skip to main content

CVE-2025-45818: n/a

Medium
VulnerabilityCVE-2025-45818cvecve-2025-45818
Published: Thu May 08 2025 (05/08/2025, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/item_status.php.

AI-Powered Analysis

AILast updated: 07/12/2025, 03:02:48 UTC

Technical Analysis

CVE-2025-45818 is a medium-severity SQL Injection vulnerability identified in Slims (Senayan Library Management Systems) version 9 Bulian 9.6.1, specifically within the admin/modules/master_file/item_status.php component. SQL Injection (CWE-89) vulnerabilities occur when untrusted input is improperly sanitized and directly included in SQL queries, allowing attackers to manipulate the database queries executed by the application. In this case, the vulnerability allows remote attackers to inject malicious SQL code without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The vulnerability impacts the confidentiality and integrity of the database, potentially allowing attackers to read or modify sensitive data stored in the library management system. However, availability is not affected. The CVSS score of 6.5 reflects a medium severity level, considering the ease of exploitation and the impact on confidentiality and integrity. There are no known exploits in the wild at the time of publication, and no patches or vendor advisories have been linked yet. The vulnerability was reserved on April 22, 2025, and published on May 8, 2025. Slims is an open-source library management system used primarily by libraries to manage cataloging, circulation, and other library operations. The affected module relates to item status management, which is critical for tracking the availability and condition of library materials.

Potential Impact

For European organizations, particularly libraries, educational institutions, and cultural heritage organizations that use Slims 9.6.1, this vulnerability poses a risk of unauthorized data disclosure and data tampering. Attackers exploiting this SQL Injection could access patron records, borrowing histories, or internal administrative data, potentially leading to privacy violations and reputational damage. The integrity compromise could result in incorrect item status information, disrupting library operations and user services. Although the vulnerability does not directly impact system availability, the operational disruption and data integrity issues could indirectly affect service continuity. Given the sensitivity of personal data managed by libraries under GDPR, exploitation could also lead to regulatory compliance issues and fines. The lack of authentication requirement increases the risk, as attackers can exploit the vulnerability remotely without credentials.

Mitigation Recommendations

Specific mitigation steps include: 1) Immediate code review and sanitization of all inputs in the admin/modules/master_file/item_status.php script to ensure proper use of parameterized queries or prepared statements to prevent SQL Injection. 2) Implement Web Application Firewall (WAF) rules to detect and block SQL Injection attempts targeting the vulnerable endpoint. 3) Restrict access to the admin interface by IP whitelisting or VPN to reduce exposure. 4) Monitor logs for unusual database query patterns or failed injection attempts. 5) If possible, upgrade to a patched version once available or apply community patches if provided. 6) Conduct security testing, including automated and manual penetration tests focusing on SQL Injection vectors in the affected module. 7) Educate administrators on secure configuration and the importance of applying updates promptly. These steps go beyond generic advice by focusing on the specific vulnerable component and operational controls to reduce attack surface until a patch is released.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-04-22T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9816c4522896dcbd69b9

Added to database: 5/21/2025, 9:08:38 AM

Last enriched: 7/12/2025, 3:02:48 AM

Last updated: 7/26/2025, 7:27:05 PM

Views: 8

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats