CVE-2025-62319

Boolean-Based SQL Injection in Multiple Unica Components

CVSS 9.8 CRITICALEPSS 0.3%CWE-89

In short

An attacker can inject malicious SQL code into Unica application inputs using Boolean conditions, allowing them to manipulate database queries without directly seeing the results. This lets them secretly extract sensitive data or compromise the database by observing how the application responds to true or false conditions.

Technical detail

Boolean-based blind SQL injection vulnerability in Unica components allows attackers to inject arbitrary SQL via application input fields that are insufficiently sanitized before execution in backend queries. The attacker infers query results through application behavior differences (true/false responses) rather than visible output, enabling database reconnaissance and potential unauthorized data access or modification.

Summary generated and translated by AI from the official description.

Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently depending on whether the injected condition evaluates to true or false. This allows an attacker to inject arbitrary SQL into backend configuration queries executed within the application.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

HCL · Unica

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410