CVE-2025-22980
📋 TL;DR
A SQL injection vulnerability in SLiMS 9 Bulian 9.6.1 allows attackers to execute arbitrary SQL commands via the tempLoanID parameter in the loan form. This affects all systems running the vulnerable version of this library management software. Attackers could potentially access, modify, or delete database content.
💻 Affected Systems
- Senayan Library Management System SLiMS 9 Bulian
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential server takeover via SQL injection to RCE chaining.
Likely Case
Unauthorized access to sensitive library patron data, loan records, and administrative information stored in the database.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.
🎯 Exploit Status
Exploitation requires authentication to the circulation module. Public proof-of-concept demonstrates SQL injection via tempLoanID parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.6.2 or later
Vendor Advisory: https://github.com/slims/slims9_bulian/issues/270
Restart Required: No
Instructions:
1. Backup your database and application files. 2. Download the latest version from the official SLiMS repository. 3. Replace vulnerable files with patched versions. 4. Verify the fix by testing the loan form functionality.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize tempLoanID parameter before processing
Modify /admin/modules/circulation/loan.php to validate tempLoanID as integer using is_numeric() or filter_var()
WAF Rule Implementation
allBlock SQL injection patterns targeting the loan.php endpoint
Add WAF rule: deny requests to /admin/modules/circulation/loan.php containing SQL keywords in tempLoanID parameter
🧯 If You Can't Patch
- Restrict access to /admin/modules/circulation/ directory using .htaccess or web server configuration
- Implement database user with minimal privileges (read-only for circulation functions)
🔍 How to Verify
Check if Vulnerable:
Test the loan form with SQL injection payloads in tempLoanID parameter (e.g., 1' OR '1'='1) and observe database errors or unexpected behaviorCheck Version:
Check the version.php file or SLiMS admin dashboard for version informationVerify Fix Applied:
Attempt the same SQL injection tests after patching; should receive proper error handling or rejection of malicious input📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed loan form submissions with special characters
- Unexpected database queries from circulation module
Network Indicators:
- HTTP POST requests to /admin/modules/circulation/loan.php containing SQL keywords
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="/admin/modules/circulation/loan.php" AND (param="tempLoanID" AND value MATCH "[';]|UNION|SELECT|INSERT|UPDATE|DELETE")