CVE-2025-52924
Severity CVSS v4.0:
Pending analysis
Type:
CWE-89
SQL Injection
Publication date:
19/07/2025
Last modified:
23/07/2025
Description
In One Identity OneLogin before 2025.2.0, the SQL connection "application name" is set based on the value of an untrusted X-RequestId HTTP request header.
Impact
Base Score 3.x
4.00
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://oneidentity.com
- https://onelogin.service-now.com/support?id=kb_article&sys_id=59fe4c3c972a2610c90c3b0e6253afef&kb_category=a0d76d70db185340d5505eea4b96199f
- https://onelogin.service-now.com/support?id=kb_article&sys_id=59fe4c3c972a2610c90c3b0e6253afef&kb_category=a0d76d70db185340d5505eea4b96199f