SQL Injection Vulnerability in ERPNext Software by Frappe
CVE-2018-20061

7.5HIGH

Key Information:

Vendor: Frappe
Status: Erpnext
Vendor: CVE Published:; 11 December 2018

What is CVE-2018-20061?

A SQL injection vulnerability exists in the ERPNext software, affecting versions 10.x and 11.x through 11.0.3-beta.29. The issue arises when a logged-in user can exploit this vulnerability without any special privileges. By invoking a JavaScript function that interacts with server-side Python functions, attackers can manipulate SQL queries to retrieve data from any table within the database. This security flaw is tied to specific API endpoints, including /api/resource/Item?fields= and functions like frappe.get_list and frappe.call. As many ERPNext installations permit user registration via the web, this presents a significant risk to unprotected systems.

References

https://github.com/frappe/erpnext/issues/15337

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 11, 2018
Vulnerability Reserved
Dec 11, 2018

JSON