Primary

Context

Owl-Admin SQL Injection Vulnerability in Admin Menus Save Order API

Vulnerability

A SQL injection vulnerability has been identified in Owl Admin versions 3.2.2 through 4.10.2. The issue resides in the admin-api/system/admin_menus/save_order endpoint, where specially crafted parameters can be used to manipulate SQL queries, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log into the Owl Admin system and send a POST request to the /admin-api/system/admin_menus/save_order endpoint. Include a payload in the 'ids' parameter that exploits the SQL injection, such as one that uses the updatexml function to extract database information, like the current database user.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Owl-Admin SQL Injection Vulnerability in Admin Menus Save Order API

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating