CVE-2025-13168 is a SQL injection vulnerability identified in the ury-erp software, specifically affecting the ury product versions 0.1 and 0.2.0. The vulnerability resides in the overrided_past_order_list function located in the ury/ury/api/pos_extend.py file. The issue arises due to insufficient sanitization or validation of the search_term parameter, which is directly incorporated into SQL queries. This flaw allows remote attackers to manipulate the SQL query logic by injecting malicious SQL code through the search_term argument. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate impact on confidentiality, integrity, and availability with low complexity and no privileges required. The vendor has responded professionally by releasing a patch in version 0.2.1, identified by patch hash 063384e0dddfd191847cd2d6524c342cc380b058, which properly sanitizes the input and mitigates the vulnerability. Although no active exploits have been reported in the wild, the public availability of exploit code increases the risk of exploitation by threat actors. This vulnerability could allow attackers to extract sensitive data, modify or delete records, or disrupt database operations, potentially impacting business continuity and data privacy.

For European organizations using ury-erp, this vulnerability poses a tangible risk to the confidentiality, integrity, and availability of their ERP data. Successful exploitation could lead to unauthorized data disclosure, manipulation of business-critical order information, or denial of service conditions affecting ERP functionality. This could disrupt supply chain management, financial reporting, and operational workflows, leading to financial losses and reputational damage. Given the remote exploitability without authentication, attackers could target exposed ury-erp instances directly over the internet or internal networks. Organizations in sectors with stringent data protection regulations such as GDPR may face compliance risks if sensitive personal or business data is compromised. The medium severity score indicates that while the vulnerability is not critical, it still requires timely remediation to prevent exploitation, especially in environments where ury-erp is integrated with other critical systems.

European organizations should immediately upgrade ury-erp to version 0.2.1 or later, as this update contains the official patch that properly sanitizes the search_term parameter to prevent SQL injection. Until the upgrade is applied, organizations should implement network-level protections such as restricting access to the ury-erp application to trusted internal networks or VPNs, and deploying web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the search_term parameter. Regularly audit and monitor database logs for suspicious queries or anomalies indicative of injection attempts. Conduct security assessments and penetration testing focused on input validation controls within ury-erp. Additionally, ensure that database user permissions follow the principle of least privilege to limit the potential damage from any successful injection. Maintain up-to-date backups of ERP data to enable recovery in case of data corruption or deletion. Finally, keep abreast of vendor advisories and threat intelligence feeds for any emerging exploit activity related to this vulnerability.