Vulners
Lucene search
📄 Abacre Retail Point of Sale 14.0.0.396 SQL Injection
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | Exploit for CVE-2025-67261 | 18 Jan 202606:24 | – | githubexploit |
 | CVE-2025-67261 | 20 Jan 202600:00 | – | attackerkb |
 | CVE-2025-67261 | 20 Jan 202619:16 | – | circl |
 | Abacre Retail Point of Sale security vulnerability | 20 Jan 202600:00 | – | cnnvd |
 | CVE-2025-67261 | 20 Jan 202600:00 | – | cve |
 | CVE-2025-67261 | 20 Jan 202600:00 | – | cvelist |
 | EUVD-2026-3378 | 20 Jan 202600:00 | – | euvd |
 | CVE-2025-67261 | 20 Jan 202618:16 | – | nvd |
 | PT-2026-3637 | 20 Jan 202600:00 | – | ptsecurity |
 | CVE-2025-67261 | 21 Jan 202600:30 | – | redhatcve |
10
# CVE-2025-67261 - Content-based blind SQL injection on Abacre Retail Point of Sale 14.0.0.396
Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page.
The "Search" function under the "Orders" page is vulnerable to Content-based Blind SQL Injection.
<img width="1512" height="759" alt="Pasted image 20251028224616" src="https://github.com/user-attachments/assets/2226134d-69b7-4a2e-98e1-2a66908b21bf" />
A simple payload will give us the initial confirmation, then, using the query below we can confirm that the "Client" table exist in the Firebird database file.
```SQL
') OR EXISTS(SELECT 1 FROM Client)--
```
<img width="1630" height="233" alt="Pasted image 20251028225040" src="https://github.com/user-attachments/assets/5d24e6a8-5056-4c71-abe8-ce029aac2b36" />
When executing, we do receive content. To confirm this even further, we can go to the "Clients" tab and trigger a SQL error, which will give us the name of the table.
<img width="1077" height="499" alt="Pasted image 20251028225157" src="https://github.com/user-attachments/assets/8a366b3f-726a-421a-95ce-e0a8ed240a4c" />
Within the same tab, we confirm that we have 4 clients registered in the database.
<img width="485" height="197" alt="Pasted image 20251028225426" src="https://github.com/user-attachments/assets/b938aa6a-c189-49f1-b87f-4e84634c4740" />
However, we can also search for it in our vulnerable parameter. If we search for only 3 entries, nothing is returned back.
```SQL
') OR (SELECT COUNT(*) FROM Client)=3--
```
<img width="1910" height="361" alt="Pasted image 20251028225548" src="https://github.com/user-attachments/assets/1fbaeab0-e7a5-4baa-9e02-dc428dbe4873" />
But when searching for 4, we now get a true result.
<img width="1877" height="320" alt="Pasted image 20251028225623" src="https://github.com/user-attachments/assets/32a0c44f-eaa5-49c8-b063-e88545c7ec11" />Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Jan 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.16.5
EPSS0.00042
SSVC