| tiêu đề | onyx-dot-app onyx 0.29.1 SQL Injection |
|---|
| Mô tả | This report demonstrates a critical SQL injection vulnerability within the Onyx system. An attacker can send a specially crafted message through the application's chat interface (/api/send-message), which is then routed by the backend agent's tool selector (choose_tool.py) to the vulnerable Knowledge Graph query tool (generate_simple_sql). This tool fails to properly sanitize user input when generating and executing SQL queries, allowing an attacker to inject and execute arbitrary SQL code. This can lead to the theft of sensitive database information, such as user credentials. |
|---|
| Nguồn | ⚠️ https://www.cnblogs.com/aibot/p/18982747 |
|---|
| Người dùng | Anonymous User |
|---|
| Đệ trình | 13/07/2025 14:02 (cách đây 11 các tháng) |
|---|
| Kiểm duyệt | 19/07/2025 13:06 (6 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 317009 [Onyx đến 0.29.1 Chat Interface a3_generate_simple_sql.py generate_simple_sql Tiêm SQL] |
|---|
| điểm | 20 |
|---|