CVE-2025-10592 – CVE-2025-10592 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-10592?

CVE-2025-10592 has a CVSS score of 6.3 (MEDIUM). CVE-2025-10592 is an SQL injection vulnerability in itsourcecode Online Public Access Catalog OPAC 1.0 that allows attackers to execute arbitrary SQL commands through the mysearch.php file. This affects all systems running the vulnerable software version, potentially exposing database contents including user credentials and sensitive catalog data. The vulnerability is remotely exploitable without authentication.

📋 TL;DR

CVE-2025-10592 is an SQL injection vulnerability in itsourcecode Online Public Access Catalog OPAC 1.0 that allows attackers to execute arbitrary SQL commands through the mysearch.php file. This affects all systems running the vulnerable software version, potentially exposing database contents including user credentials and sensitive catalog data. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

itsourcecode Online Public Access Catalog OPAC

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. The mysearch.php file with POST parameter handling is affected.

📦 What is this software?

Online Public Access Catalog by Carenlove

View all CVEs affecting Online Public Access Catalog →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, and potential system takeover through subsequent attacks.

🟠

Likely Case

Unauthorized access to sensitive catalog data, user information extraction, and potential data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-sensitive data.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects a public-facing web application component.

🏢 Internal Only: MEDIUM - Internal systems could still be targeted by authenticated malicious insiders or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exploit available on GitHub. Attack requires no authentication and minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries in mysearch.php

Modify mysearch.php to use prepared statements with parameterized queries instead of direct SQL concatenation

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting search parameters

Configure WAF to block requests containing SQL keywords in search_field/search_text parameters

🧯 If You Can't Patch

Isolate the OPAC system behind a reverse proxy with strict input filtering
Implement network segmentation to limit database access from the web server

🔍 How to Verify

Check if Vulnerable:

Test the search functionality with SQL injection payloads in search_field/search_text parameters

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Attempt SQL injection after implementing parameterized queries and verify error responses are sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple failed search attempts with special characters
Long parameter values in POST requests to mysearch.php

Network Indicators:

SQL keywords in POST request bodies
Unusual database connection patterns from web server

SIEM Query:

source="web_server" AND (url="*mysearch.php*" AND (param="*search_field*" OR param="*search_text*") AND value="*' OR *" OR value="*;--*" OR value="*UNION*"))

📊 Metadata

CVE ID: CVE-2025-10592

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.02% exploit probability (4.5th percentile)

Published: September 17, 2025

Last Updated: September 22, 2025

🔗 References

https://github.com/drew-byte/Online-Public-Access-Catalog-OPAC-SQLi-PoC/blob/main/README.md Exploit,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.324609 Permissions Required,VDB Entry
https://vuldb.com/?id.324609 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.648959 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10592, you might also want to check these: