CVE-2018-20061: SQL Injection
First published: Tue Dec 11 2018(Updated: )
A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Frappe ERPNext | >=10.0.0<=10.1.76 | |
| Frappe ERPNext | >=11.0.0<11.0.3 | |
| Frappe ERPNext | =11.0.3-beta10 | |
| Frappe ERPNext | =11.0.3-beta11 | |
| Frappe ERPNext | =11.0.3-beta12 | |
| Frappe ERPNext | =11.0.3-beta13 | |
| Frappe ERPNext | =11.0.3-beta14 | |
| Frappe ERPNext | =11.0.3-beta15 | |
| Frappe ERPNext | =11.0.3-beta16 | |
| Frappe ERPNext | =11.0.3-beta17 | |
| Frappe ERPNext | =11.0.3-beta18 | |
| Frappe ERPNext | =11.0.3-beta19 | |
| Frappe ERPNext | =11.0.3-beta2 | |
| Frappe ERPNext | =11.0.3-beta20 | |
| Frappe ERPNext | =11.0.3-beta21 | |
| Frappe ERPNext | =11.0.3-beta22 | |
| Frappe ERPNext | =11.0.3-beta23 | |
| Frappe ERPNext | =11.0.3-beta24 | |
| Frappe ERPNext | =11.0.3-beta25 | |
| Frappe ERPNext | =11.0.3-beta26 | |
| Frappe ERPNext | =11.0.3-beta27 | |
| Frappe ERPNext | =11.0.3-beta28 | |
| Frappe ERPNext | =11.0.3-beta29 | |
| Frappe ERPNext | =11.0.3-beta3 | |
| Frappe ERPNext | =11.0.3-beta4 | |
| Frappe ERPNext | =11.0.3-beta5 | |
| Frappe ERPNext | =11.0.3-beta6 | |
| Frappe ERPNext | =11.0.3-beta7 | |
| Frappe ERPNext | =11.0.3-beta8 | |
| Frappe ERPNext | =11.0.3-beta9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-20061?
The severity of CVE-2018-20061 is high.
How does CVE-2018-20061 affect ERPNext?
CVE-2018-20061 affects ERPNext versions 10.x and 11.x through 11.0.3-beta.29.
Who is affected by CVE-2018-20061?
All users of ERPNext versions 10.x and 11.x through 11.0.3-beta.29 are affected by CVE-2018-20061.
What is the Common Weakness Enumeration (CWE) ID for CVE-2018-20061?
The CWE ID for CVE-2018-20061 is 89.
Is there a fix available for CVE-2018-20061?
Yes, a fix is available for CVE-2018-20061. It is recommended to update to a version of ERPNext that is not affected by the vulnerability.
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/author
- agent/references
- agent/tags
- agent/type
- agent/description
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- vendor/frappe
- canonical/frappe erpnext
- version/frappe erpnext/10.0.0
- version/frappe erpnext/10.1.76
- version/frappe erpnext/11.0.0
- version/frappe erpnext/11.0.3-beta10
- version/frappe erpnext/11.0.3-beta11
- version/frappe erpnext/11.0.3-beta12
- version/frappe erpnext/11.0.3-beta13
- version/frappe erpnext/11.0.3-beta14
- version/frappe erpnext/11.0.3-beta15
- version/frappe erpnext/11.0.3-beta16
- version/frappe erpnext/11.0.3-beta17
- version/frappe erpnext/11.0.3-beta18
- version/frappe erpnext/11.0.3-beta19
- version/frappe erpnext/11.0.3-beta2
- version/frappe erpnext/11.0.3-beta20
- version/frappe erpnext/11.0.3-beta21
- version/frappe erpnext/11.0.3-beta22
- version/frappe erpnext/11.0.3-beta23
- version/frappe erpnext/11.0.3-beta24
- version/frappe erpnext/11.0.3-beta25
- version/frappe erpnext/11.0.3-beta26
- version/frappe erpnext/11.0.3-beta27
- version/frappe erpnext/11.0.3-beta28
- version/frappe erpnext/11.0.3-beta29
- version/frappe erpnext/11.0.3-beta3
- version/frappe erpnext/11.0.3-beta4
- version/frappe erpnext/11.0.3-beta5
- version/frappe erpnext/11.0.3-beta6
- version/frappe erpnext/11.0.3-beta7
- version/frappe erpnext/11.0.3-beta8
- version/frappe erpnext/11.0.3-beta9