Can you explain this vulnerability to me?

CVE-2025-51535 is a critical SQL injection vulnerability in OpenAtlas v8.11.0 that allows administrators to execute arbitrary SQL commands without restriction via an unrestricted SQL console in the admin UI. This enables full read access to all database tables, as well as the ability to modify, delete, or drop data, and even execute commands that can cause denial of service by making the application unavailable. [1]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker with admin access to read all confidential data in the database, manipulate or delete data, and potentially cause denial of service by executing expensive queries or dropping the database, leading to loss of data integrity, confidentiality, and availability. [1]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if your OpenAtlas installation is version 8.11.0 or earlier and if the administrative interface contains the SQL console under Admin -> SQL -> Execute. Since the vulnerability allows execution of arbitrary SQL commands, you can attempt to access this console if you have admin rights. Specific detection commands are not provided in the resources. [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to update OpenAtlas to version 8.12.0 or later, where the vendor has removed the SQL console feature entirely. This update prevents exploitation by eliminating the unrestricted SQL execution capability. [1]

Useful 0 Not Useful 0