Overview
CVE-2025-13168 is a medium-severity SQL injection vulnerability discovered in Ury-ERP versions up to 0.2.0. This flaw allows a remote attacker to execute arbitrary SQL commands by manipulating the search_term argument in the overrided_past_order_list function of the ury/ury/api/pos_extend.py file. Exploitation of this vulnerability could lead to unauthorized data access, modification, or even complete system compromise.
A public exploit is available, increasing the risk of active exploitation. Ury-ERP developers have released version 0.2.1 to address this issue, demonstrating a proactive and professional response.
Technical Details
The vulnerability resides within the overrided_past_order_list function in the ury/ury/api/pos_extend.py file. Insufficient input validation on the search_term parameter allows an attacker to inject malicious SQL code. This injected code is then executed by the application’s database, potentially granting the attacker control over the database.
Specifically, the lack of proper sanitization on the search_term parameter allows for the inclusion of SQL keywords and operators, leading to the manipulation of the underlying SQL query.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13168 is 6.3, indicating a MEDIUM severity vulnerability.
This score is based on the following factors:
- Attack Vector: Network (AV:N) – The vulnerability can be exploited remotely.
- Attack Complexity: Low (AC:L) – The vulnerability is relatively easy to exploit.
- Privileges Required: None (PR:N) – No privileges are required to exploit the vulnerability.
- User Interaction: None (UI:N) – No user interaction is required to exploit the vulnerability.
- Scope: Unchanged (S:U) – An exploited vulnerability can only affect resources managed by the same security authority.
- Confidentiality Impact: Low (C:L) – Limited information disclosure.
- Integrity Impact: Low (I:L) – Limited data modification.
- Availability Impact: Low (A:L) – Limited disruption of services.
Possible Impact
Successful exploitation of CVE-2025-13168 could lead to the following consequences:
- Data Breach: Unauthorized access to sensitive data stored in the Ury-ERP database, including customer information, financial records, and business-critical data.
- Data Manipulation: Modification or deletion of data within the Ury-ERP system, potentially leading to inaccurate reporting, financial losses, or disruption of business operations.
- System Compromise: In severe cases, the attacker could gain control over the underlying database server, allowing them to execute arbitrary commands and potentially compromise the entire system.
Mitigation or Patch Steps
The recommended mitigation is to immediately upgrade Ury-ERP to version 0.2.1. This version contains a patch that addresses the SQL injection vulnerability.
The patch, identified as 063384e0dddfd191847cd2d6524c342cc380b058, implements proper input validation and sanitization on the search_term parameter, preventing malicious SQL code from being injected into the database query.
Alternatively, if upgrading is not immediately feasible, consider implementing a temporary workaround by manually sanitizing the search_term input within the overrided_past_order_list function. However, this is not a substitute for upgrading to the patched version.
