关键漏洞信息 CVE ID: CVE-2023-48049 Description: - SQL injection vulnerability in Cybrosys Techno Solutions Website Blog Search (aka ) v.13.0 through 13.0.1.0.1 allows a remote attacker to execute arbitrary code and to gain privileges via the parameter in component. Affected Product: Website Blog Search Link to the Odoo Apps Store: https://apps.odoo.com/apps/modules/13.0/website_search_blog/ Vulnerability Type: SQL injection Impact: Privilege Escalation, Information Disclosure Affected Components: Attack Vectors: - A remote attacker can call the controller endpoint by sending an HTTP POST request to the route with a crafted parameter. The parameter contains an SQL query that is injected into the existing SQL query and executed through the database cursor. Proof-of-Concept: - The remote attacker sends a crafted HTTP POST request with the following body: - Since the affected controller route does not require authentication, anyone can reach the endpoint, triggering the attack. Since the database cursor is directly employed, no access rights checking is performed. Also, no user input validation or sanitization is performed, allowing the attacker to inject arbitrary SQL queries. Note: A recorded demo of the PoC as well as the code for the exploit are available under this directory.