CVE-2025-13168
📋 TL;DR
This SQL injection vulnerability in ury-erp allows attackers to manipulate database queries through the search_term parameter in the overrided_past_order_list function. Remote exploitation is possible, potentially leading to data theft, modification, or system compromise. All users running ury-erp versions up to 0.2.0 are affected.
💻 Affected Systems
- ury-erp
📦 What is this software?
Ury by Ury
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, data manipulation, privilege escalation, and potential remote code execution.
Likely Case
Unauthorized data access and extraction from the ERP database, potentially exposing sensitive business information.
If Mitigated
Limited impact with proper input validation and parameterized queries in place.
🎯 Exploit Status
Public exploit details available in GitHub repository, remote exploitation possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.2.1
Vendor Advisory: https://github.com/ury-erp/ury/releases/tag/v0.2.1
Restart Required: Yes
Instructions:
1. Backup current installation and database. 2. Upgrade to version 0.2.1 via pip: 'pip install ury-erp==0.2.1'. 3. Restart the ury-erp service. 4. Verify the patch is applied by checking the commit hash contains 063384e0dddfd191847cd2d6524c342cc380b058.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for search_term parameter to reject SQL special characters
# In pos_extend.py, add validation before SQL query
import re
if not re.match(r'^[a-zA-Z0-9\s]+$', search_term):
raise ValueError('Invalid search term')
WAF Rule
linuxDeploy web application firewall rules to block SQL injection patterns
# Example ModSecurity rule
SecRule ARGS:search_term "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
🧯 If You Can't Patch
- Implement network segmentation to restrict access to ury-erp instances
- Deploy database monitoring to detect unusual SQL query patterns
🔍 How to Verify
Check if Vulnerable:
Check if running ury-erp version <= 0.2.0 and examine pos_extend.py for vulnerable search_term handlingCheck Version:
pip show ury-erp | grep VersionVerify Fix Applied:
Verify installation is version 0.2.1 and check that commit 063384e0dddfd191847cd2d6524c342cc380b058 is present📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Multiple failed login attempts with SQL injection payloads
- Unexpected database schema changes
Network Indicators:
- HTTP requests containing SQL keywords in search_term parameter
- Unusual outbound database connections
SIEM Query:
source="web_logs" AND (search_term CONTAINS "UNION" OR search_term CONTAINS "SELECT" OR search_term CONTAINS "INSERT")🔗 References
- https://github.com/ictrun/ury-vulns/blob/main/README.md
- https://github.com/ictrun/ury-vulns/blob/main/README.md#verification-steps
- https://github.com/ury-erp/ury/commit/063384e0dddfd191847cd2d6524c342cc380b058
- https://github.com/ury-erp/ury/releases/tag/v0.2.1
- https://vuldb.com/?ctiid.332456
- https://vuldb.com/?id.332456
- https://vuldb.com/?submit.683984
- https://github.com/ictrun/ury-vulns/blob/main/README.md
- https://github.com/ictrun/ury-vulns/blob/main/README.md#verification-steps
