CVE-2025-45820 is a medium-severity SQL Injection vulnerability affecting Slims (Senayan Library Management Systems) version 9 Bulian 9.6.1. The vulnerability exists in the file admin/modules/bibliography/pop_author_edit.php, where user-supplied input is improperly sanitized before being incorporated into SQL queries. This lack of input validation allows an unauthenticated attacker to inject malicious SQL code remotely over the network (AV:N), without any privileges (PR:N) or user interaction (UI:N). The vulnerability impacts the confidentiality and integrity of the database, enabling attackers to read or modify sensitive data related to library bibliographies and authors. However, it does not affect availability. The CVSS 3.1 base score is 6.5, reflecting a medium severity level. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved on April 22, 2025, and published on May 8, 2025. Slims is an open-source library management system widely used in academic, public, and research libraries, especially in countries where open-source solutions are preferred for cost-effectiveness and customization. The vulnerability could allow attackers to extract or alter bibliographic data, potentially compromising library operations and user privacy.

For European organizations, particularly libraries, universities, and research institutions using Slims 9 Bulian 9.6.1, this vulnerability poses a risk to the confidentiality and integrity of bibliographic and user data. Exploitation could lead to unauthorized disclosure of sensitive information, such as author details, publication records, and potentially user borrowing histories if stored in the same database. Data tampering could disrupt library catalog accuracy, affecting research and academic activities. Although availability is not directly impacted, the loss of data integrity could degrade trust in library systems and require costly remediation efforts. Given the unauthenticated remote exploitability, attackers could leverage this vulnerability to gain footholds in library networks, potentially pivoting to other internal systems. The lack of known exploits currently reduces immediate risk, but the public disclosure increases the likelihood of future exploitation attempts. European organizations relying on Slims should consider this vulnerability a moderate threat to their information security posture.

1. Immediate mitigation involves restricting external access to the vulnerable admin module (admin/modules/bibliography/pop_author_edit.php) via network segmentation or firewall rules to limit exposure. 2. Implement web application firewalls (WAFs) with SQL Injection detection and prevention rules tailored to the Slims application context. 3. Conduct thorough input validation and sanitization on all user inputs in the affected module, preferably using parameterized queries or prepared statements to eliminate SQL Injection vectors. 4. Monitor logs for suspicious SQL query patterns or unexpected database errors indicative of exploitation attempts. 5. Engage with the Slims community or maintainers to obtain or contribute patches that address this vulnerability. 6. Plan for timely patch deployment once available, including testing in staging environments to ensure stability. 7. Educate system administrators and library staff about the risks and signs of exploitation to enhance detection capabilities. 8. Regularly back up bibliographic databases and verify backup integrity to enable recovery in case of data tampering.