CVE-2018-1292: SQL Injection
First published: Fri Apr 20 2018(Updated: )
Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Fineract | =0.4.0 | |
| Apache Fineract | =0.5.0 | |
| Apache Fineract | =0.6.0 | |
| Apache Fineract | =1.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2018-1292.
What is the severity of CVE-2018-1292?
The severity of CVE-2018-1292 is high with a CVSS score of 8.1.
Which software versions are affected by CVE-2018-1292?
Apache Fineract versions 0.4.0, 0.5.0, 0.6.0, and 1.0.0 are affected by CVE-2018-1292.
How can a hacker exploit CVE-2018-1292?
A hacker can exploit CVE-2018-1292 by injecting SQL through the 'reportName' parameter in the 'getReportType' method, allowing unauthorized reading or updating of data.
Are there any references for more information about CVE-2018-1292?
Yes, you can find more information about CVE-2018-1292 at the following references: [link1](http://www.securityfocus.com/bid/104007), [link2](https://lists.apache.org/thread.html/a24610817845d022d5fe89cfe21563ef83bea35ca95de867cd2c4ee9@%3Cdev.fineract.apache.org%3E).
- collector/nvd-index
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache fineract
- version/apache fineract/0.4.0
- version/apache fineract/0.5.0
- version/apache fineract/0.6.0
- version/apache fineract/1.0.0