Aix Db
Monthly
Unauthenticated SQL data exfiltration in Aix-DB versions up to and including 1.2.4 allows attackers on adjacent networks to issue arbitrary SELECT queries against the application's database through the /llm/process_llm_out endpoint, which omits the token validation enforced on every other application route. The flaw was disclosed by CERT-PL and currently has no public exploit identified at time of analysis, but the CVSS 4.0 vector (AV:A/AC:L/PR:N/UI:N/VC:H) reflects trivial exploitation once an attacker reaches the deployment network. No vendor-released patch identified at time of analysis.
SQL injection in apconw Aix-DB through the terminology_retriever.py module allows local attackers to manipulate the Description argument and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected versions include Aix-DB up to 1.2.3.
Unauthenticated SQL data exfiltration in Aix-DB versions up to and including 1.2.4 allows attackers on adjacent networks to issue arbitrary SELECT queries against the application's database through the /llm/process_llm_out endpoint, which omits the token validation enforced on every other application route. The flaw was disclosed by CERT-PL and currently has no public exploit identified at time of analysis, but the CVSS 4.0 vector (AV:A/AC:L/PR:N/UI:N/VC:H) reflects trivial exploitation once an attacker reaches the deployment network. No vendor-released patch identified at time of analysis.
SQL injection in apconw Aix-DB through the terminology_retriever.py module allows local attackers to manipulate the Description argument and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected versions include Aix-DB up to 1.2.3.