Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently depending on whether the injected condition evaluates to true or false. This allows an attacker to inject arbitrary SQL into backend configuration queries executed within the application.
AnalysisAI
A Boolean-based SQL injection vulnerability exists in HCL Unica that allows remote attackers to manipulate backend database queries through specially crafted input fields. The vulnerability affects HCL Unica version 25.1.1 and below, enabling unauthenticated attackers to extract sensitive data, modify database contents, or potentially compromise the entire system. With a critical CVSS score of 9.8 and network-based attack vector requiring no authentication, this represents a severe risk to organizations using affected Unica installations.
Technical ContextAI
HCL Unica is an enterprise marketing automation platform identified by CPE cpe:2.3:a:hcl:unica:*:*:*:*:*:*:*:*. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89), specifically allowing Boolean-based blind SQL injection attacks. In this attack variant, malicious SQL conditions are injected that evaluate to TRUE or FALSE, causing the application to respond differently based on the result without directly revealing data or errors. This enables attackers to systematically extract information from the database one bit at a time by observing application behavior changes.
RemediationAI
Organizations must upgrade HCL Unica to a version newer than 25.1.1 as recommended in HCL's security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129410. Until patching is possible, implement strict input validation and parameterized queries for all user inputs, deploy a web application firewall (WAF) with SQL injection detection rules, and restrict network access to the Unica application to trusted IP ranges only. Monitor database query logs for suspicious Boolean-based patterns and unusual query volumes that may indicate exploitation attempts.
A user is capable of assigning him/herself to arbitrary groups by reusing a POST request issued by an administrator. Rat
The Unica application exposes an API which accepts arbitrary XML input. Rated high severity (CVSS 8.8), this vulnerabili
CSV formula injection vulnerability in HCL Technologies Ltd. Rated high severity (CVSS 7.5), this vulnerability is remot
File upload vulnerability in HCL Technologies Ltd. Rated medium severity (CVSS 6.3), this vulnerability is remotely expl
A Persistent XSS vulnerability can be carried out in a certain field of Unica Campaign. Rated medium severity (CVSS 6.1)
A Persistent Cross-site Scripting (XSS) vulnerability can be carried out on certain pages of Unica Platform. Rated mediu
A Persistent Cross-site Scripting (XSS) vulnerability can be carried out in a certain field of the Unica Platform. Rated
Cross-Site Request Forgery (CSRF) vulnerability in HCL Technologies Ltd. Rated medium severity (CVSS 5.5), this vulnerab
Cross-site scripting (XSS) vulnerability in HCL Technologies Ltd. Rated medium severity (CVSS 5.4), this vulnerability i
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208747