What is the severity of CVE-2018-20061?

The severity of CVE-2018-20061 is high.

How does CVE-2018-20061 affect ERPNext?

CVE-2018-20061 affects ERPNext versions 10.x and 11.x through 11.0.3-beta.29.

Who is affected by CVE-2018-20061?

All users of ERPNext versions 10.x and 11.x through 11.0.3-beta.29 are affected by CVE-2018-20061.

What is the Common Weakness Enumeration (CWE) ID for CVE-2018-20061?

The CWE ID for CVE-2018-20061 is 89.

Is there a fix available for CVE-2018-20061?

Yes, a fix is available for CVE-2018-20061. It is recommended to update to a version of ERPNext that is not affected by the vulnerability.

Vulnerability/
CVE-2018-20061

high

7.5

CWE

11/12/2018

5/8/2024

CVE-2018-20061: SQL Injection

First published: Tue Dec 11 2018(Updated: )

A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
ERPNext	>=10.0.0<=10.1.76
ERPNext	>=11.0.0<11.0.3
ERPNext	=11.0.3-beta10
ERPNext	=11.0.3-beta11
ERPNext	=11.0.3-beta12
ERPNext	=11.0.3-beta13
ERPNext	=11.0.3-beta14
ERPNext	=11.0.3-beta15
ERPNext	=11.0.3-beta16
ERPNext	=11.0.3-beta17
ERPNext	=11.0.3-beta18
ERPNext	=11.0.3-beta19
ERPNext	=11.0.3-beta2
ERPNext	=11.0.3-beta20
ERPNext	=11.0.3-beta21
ERPNext	=11.0.3-beta22
ERPNext	=11.0.3-beta23
ERPNext	=11.0.3-beta24
ERPNext	=11.0.3-beta25
ERPNext	=11.0.3-beta26
ERPNext	=11.0.3-beta27
ERPNext	=11.0.3-beta28
ERPNext	=11.0.3-beta29
ERPNext	=11.0.3-beta3
ERPNext	=11.0.3-beta4
ERPNext	=11.0.3-beta5
ERPNext	=11.0.3-beta6
ERPNext	=11.0.3-beta7
ERPNext	=11.0.3-beta8
ERPNext	=11.0.3-beta9

Never miss a vulnerability like this again

Reference Links

https://github.com/frappe/erpnext/issues/15337

Frequently Asked Questions

What is the severity of CVE-2018-20061?
The severity of CVE-2018-20061 is high.
How does CVE-2018-20061 affect ERPNext?
CVE-2018-20061 affects ERPNext versions 10.x and 11.x through 11.0.3-beta.29.
Who is affected by CVE-2018-20061?
All users of ERPNext versions 10.x and 11.x through 11.0.3-beta.29 are affected by CVE-2018-20061.
What is the Common Weakness Enumeration (CWE) ID for CVE-2018-20061?
The CWE ID for CVE-2018-20061 is 89.
Is there a fix available for CVE-2018-20061?
Yes, a fix is available for CVE-2018-20061. It is recommended to update to a version of ERPNext that is not affected by the vulnerability.

agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/author
agent/severity
agent/last-modified-date
agent/weakness
agent/references
agent/description
agent/first-publish-date
agent/event
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/frappe
canonical/erpnext
version/erpnext/10.0.0
version/erpnext/10.1.76
version/erpnext/11.0.0
version/erpnext/11.0.3-beta10
version/erpnext/11.0.3-beta11
version/erpnext/11.0.3-beta12
version/erpnext/11.0.3-beta13
version/erpnext/11.0.3-beta14
version/erpnext/11.0.3-beta15
version/erpnext/11.0.3-beta16
version/erpnext/11.0.3-beta17
version/erpnext/11.0.3-beta18
version/erpnext/11.0.3-beta19
version/erpnext/11.0.3-beta2
version/erpnext/11.0.3-beta20
version/erpnext/11.0.3-beta21
version/erpnext/11.0.3-beta22
version/erpnext/11.0.3-beta23
version/erpnext/11.0.3-beta24
version/erpnext/11.0.3-beta25
version/erpnext/11.0.3-beta26
version/erpnext/11.0.3-beta27
version/erpnext/11.0.3-beta28
version/erpnext/11.0.3-beta29
version/erpnext/11.0.3-beta3
version/erpnext/11.0.3-beta4
version/erpnext/11.0.3-beta5
version/erpnext/11.0.3-beta6
version/erpnext/11.0.3-beta7
version/erpnext/11.0.3-beta8
version/erpnext/11.0.3-beta9