CVE-2025-45819 – This SQL injection vulnerability in SLiMS 9 Bul... (How to Fix)

Q: What is the severity of CVE-2025-45819?

CVE-2025-45819 has a CVSS score of 6.5 (MEDIUM). This SQL injection vulnerability in SLiMS 9 Bulian allows attackers to execute arbitrary SQL commands through the author.php module. It affects administrators with access to the vulnerable admin interface, potentially compromising the entire database.

📋 TL;DR

This SQL injection vulnerability in SLiMS 9 Bulian allows attackers to execute arbitrary SQL commands through the author.php module. It affects administrators with access to the vulnerable admin interface, potentially compromising the entire database.

💻 Affected Systems

Products:

Senayan Library Management Systems (SLiMS) 9 Bulian

Versions: 9.6.1 and potentially earlier versions

Operating Systems: All platforms running SLiMS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin access to the vulnerable module path admin/modules/master_file/author.php

📦 What is this software?

Senayan Library Management System Bulian by Slims

View all CVEs affecting Senayan Library Management System Bulian →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information (user credentials, personal data), and potential database manipulation.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and restricted database permissions.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin authentication but SQL injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue #281 for latest patched version

Vendor Advisory: https://github.com/slims/slims9_bulian/issues/281

Restart Required: No

Instructions:

1. Check the GitHub issue for official patch
2. Update to the latest SLiMS version
3. Apply parameterized query fixes to author.php
4. Validate all user inputs in affected module

🔧 Temporary Workarounds

Input Validation Workaround

all

Add input validation to filter SQL injection attempts

Modify author.php to sanitize all user inputs before database queries

Access Restriction

linux

Temporarily restrict access to vulnerable module

Add .htaccess restriction to admin/modules/master_file/ directory

🧯 If You Can't Patch

Implement WAF rules to block SQL injection patterns
Restrict database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Test author.php module with SQL injection payloads like ' OR '1'='1

Check Version:

Check SLiMS version in system configuration or about page

Verify Fix Applied:

Verify parameterized queries are implemented and input validation is working

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by author.php access
SQL syntax errors in application logs

Network Indicators:

POST requests to author.php with SQL keywords
Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="*author.php*" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*")

📊 Metadata

CVE ID: CVE-2025-45819

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-89

EPSS Score: 0.05% exploit probability (15th percentile)

Published: May 8, 2025

Last Updated: June 17, 2025

🔗 References

https://github.com/christopherralinanggoman/cve-skripsi/blob/main/my_reports/slims-9-bulian-author-report.md Exploit,Third Party Advisory
https://github.com/slims/slims9_bulian/issues/281 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-45819, you might also want to check these: