Public advisory for CVE-2025-50341 in Axelor# CVE-2025-50341: Sql Injection on Axelor
CVE ID: CVE-2025-50341
Reporter: Milad Seddigh
Product: Axelor
Affected Versions: v5.2.4
Impact: Sql Injection → exfiltrating database content.
## Summary
A Boolean-based SQL injection vulnerability was discovered in the “_domain” parameter of the Axelor. An attacker
can manipulate the SQL query logic and determine true/false conditions, potentially leading to data exposure or further
exploitation.
## Steps to Reproduce
1- Login to your account.
2- Intercept the requests that include the “_domain” parameter in the body.
3- Insert a Boolean payload (or 1=1) in the “domain” parameter.
4- Insert a Boolean payload (or 1=2) in the “domain” parameter.
5- Observe the difference in server response for when 1=1 and 1=2.
6- Dump all database contents.
## Mitigation
1. Use Parameterized Queries / Prepared Statements
Ensure that all SQL queries are constructed using parameterized statements or prepared queries. This approach separates SQL logic from user input and prevents injection.
2. Employ ORM Libraries (Where Appropriate)
Using modern ORM (Object-Relational Mapping) libraries (e.g., Sequelize, Prisma, TypeORM) can help abstract raw SQL and enforce safe query practices.
3. Validate and Sanitize Input
Enforce strict input validation based on context (e.g., numeric ID must only contain digits).
Reject or sanitize inputs that do not meet expected format.
Use allow-lists rather than block-lists for validation.
[4.0K] /data/pocs/831613fca13ec9b510a516828a82009275d3e58b
├── [1.5K] CVE-2025-50341
└── [1.5K] README.md
0 directories, 2 files