SQL Injection

The _domain field is not protected against SQL injection.
/ws/rest/com.axelor.meta.db.MetaMenu/search have a payload that can be tampered as such to allow an SQL Injection.