CRITICAL🇵🇱 Wersja polska

CVE-2025-62319

CVSS 9.8v3.1pub. 2026-03-16upd. 2026-06-05

Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently depending on whether the injected condition evaluates to true or false. This allows an attacker to inject arbitrary SQL into backend configuration queries executed within the application.

🤖 AI Analysis
How it works

An attacker injects logical conditions (TRUE or FALSE) into application input fields, thereby manipulating SQL queries executed by the backend. The application does not return direct errors or database data, but responds with different responses depending on whether the injected condition is true or false. Based on differences in application responses, an attacker is able to reconstruct the contents of the database. This allows injection of arbitrary SQL into configuration queries executed within the application.

Impact

An attacker can gain unauthorized access to sensitive data stored in the database, as well as compromise its integrity or availability. Depending on the database account permissions, it is possible to read, modify, or delete data.

Mitigation & patch

Apply patches available from the vendor according to the references — detailed information available in the HCL Software knowledge base article: KB0129410 (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410)

Who is affected

HCL Software products indicated in vendor references (article KB0129410); specific versions should be identified based on vendor documentation

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Hcltech Unica

    APP
    Hcltech
    < 25.1.1.0.1
  • Hcltech Unica Audience Central

    APP
    Hcltech
    < 25.1.1.0.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2024-42210HIGH7.6ten sam produkt

A Stored cross-site scripting (XSS) vulnerability affects HCL Unica Marketing Operations v12.1.8 and lower.  S...

CVE-2025-51735HIGH7.5ten sam produkt

CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0.

CVE-2023-37498HIGH8.1ten sam produkt

A user is capable of assigning him/herself to arbitrary groups by reusing a POST request issued by an administ...

CVE-2023-37500HIGH8.1ten sam produkt

A Persistent Cross-site Scripting (XSS) vulnerability can be carried out on certain pages of Unica Platform.  ...

CVE-2023-37499HIGH8.1ten sam produkt

A Persistent Cross-site Scripting (XSS) vulnerability can be carried out in a certain field of the Unica Platf...