Login Sign Up

CVE-2023-48049

9.8 CRITICAL
Remote Code Execution SQL Injection Authentication Bypass

📋 TL;DR

A SQL injection vulnerability in Cybrosys Techno Solutions Website Blog Search module allows remote attackers to execute arbitrary SQL commands via the name parameter. This can lead to remote code execution, data theft, and complete system compromise. Organizations using Odoo with this vulnerable module are affected.

💻 Affected Systems

Products:
  • Cybrosys Techno Solutions Website Blog Search (website_search_blog)
Versions: 13.0 through 13.0.1.0.1
Operating Systems: All platforms running Odoo
Default Config Vulnerable: ⚠️ Yes
Notes: This is an Odoo module, so vulnerability exists when this specific module is installed and enabled.

📦 What is this software?

Website Blog Search by Cybrosys

View all CVEs affecting Website Blog Search →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover, data exfiltration, ransomware deployment, and lateral movement across the network.

🟠

Likely Case

Database compromise, sensitive data theft, and potential privilege escalation to execute arbitrary code.

🟢

If Mitigated

Limited impact if proper input validation and WAF rules block malicious requests, though risk remains.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code exists in GitHub repositories, making exploitation trivial for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.0.1.0.2 or later

Vendor Advisory: https://www.cybrosys.com/odoo/modules/website-blog-search

Restart Required: Yes

Instructions:

1. Update the website_search_blog module to version 13.0.1.0.2 or later via Odoo's module management interface. 2. Restart the Odoo service to apply changes.

🔧 Temporary Workarounds

Disable vulnerable module

linux

Temporarily disable the website_search_blog module until patching is possible

sudo -u odoo python3 /path/to/odoo-bin -d your_database --update website_search_blog --stop-after-init

WAF rule implementation

all

Implement web application firewall rules to block SQL injection patterns in the name parameter

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries in the controllers/main.py file
  • Deploy network segmentation to isolate the vulnerable system and limit lateral movement

🔍 How to Verify

Check if Vulnerable:

Check installed module version via Odoo Apps menu or database query: SELECT latest_version FROM ir_module_module WHERE name='website_search_blog'

Check Version:

SELECT latest_version FROM ir_module_module WHERE name='website_search_blog'

Verify Fix Applied:

Verify module version is 13.0.1.0.2 or higher and test the search functionality with SQL injection payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in Odoo logs
  • Multiple failed login attempts after search requests
  • Suspicious payloads containing SQL keywords in name parameter

Network Indicators:

  • Unusual outbound database connections from Odoo server
  • Large data transfers following search requests

SIEM Query:

source="odoo.log" AND ("SELECT" OR "UNION" OR "DROP" OR "INSERT") AND "name="

📊 Metadata

CVE ID: CVE-2023-48049
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 15, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48049, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)