来源

关联漏洞

描述

Public advisory for CVE-2025-50341 in Axelor

介绍

# CVE-2025-50341: Sql Injection on Axelor

CVE ID: CVE-2025-50341  
Reporter: Milad Seddigh  
Product: Axelor  
Affected Versions: v5.2.4  
Impact: Sql Injection → exfiltrating database content. 

## Summary

A Boolean-based SQL injection vulnerability was discovered in the “_domain” parameter of the Axelor. An attacker 
can manipulate the SQL query logic and determine true/false conditions, potentially leading to data exposure or further 
exploitation. 

## Steps to Reproduce

1- Login to your account. 
2- Intercept the requests that include the “_domain” parameter in the body. 
3- Insert a Boolean payload (or 1=1) in the “domain” parameter. 
4- Insert a Boolean payload (or 1=2) in the “domain” parameter. 
5- Observe the difference in server response for when 1=1 and 1=2. 
6- Dump all database contents.

## Mitigation

1. Use Parameterized Queries / Prepared Statements
Ensure that all SQL queries are constructed using parameterized statements or prepared queries. This approach separates SQL logic from user input and prevents injection.
2. Employ ORM Libraries (Where Appropriate)
Using modern ORM (Object-Relational Mapping) libraries (e.g., Sequelize, Prisma, TypeORM) can help abstract raw SQL and enforce safe query practices.
3. Validate and Sanitize Input
Enforce strict input validation based on context (e.g., numeric ID must only contain digits).
Reject or sanitize inputs that do not meet expected format.
Use allow-lists rather than block-lists for validation.

文件快照

 [4.0K]  /data/pocs/831613fca13ec9b510a516828a82009275d3e58b
├── [1.5K]  CVE-2025-50341
└── [1.5K]  README.md

0 directories, 2 files

备注