In Montala ResourceSpace through 9.8 before r19636, csvexportresults_metadata.php allows attackers to export collection metadata via a non-NULL k value.
{ "cpes": [ "cpe:2.3:a:montala:resourcespace:*:*:*:*:*:*:*:*", "cpe:2.3:a:montala:resourcespace:9.8:-:*:*:*:*:*:*" ], "severity": "Medium" }