CVE-2018-20061

A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
VendorProductVersion
frappeerpnext
10.0.0 ≤
𝑥
≤ 10.1.76
frappeerpnext
11.0.0 ≤
𝑥
< 11.0.3
frappeerpnext
11.0.3:beta10
frappeerpnext
11.0.3:beta11
frappeerpnext
11.0.3:beta12
frappeerpnext
11.0.3:beta13
frappeerpnext
11.0.3:beta14
frappeerpnext
11.0.3:beta15
frappeerpnext
11.0.3:beta16
frappeerpnext
11.0.3:beta17
frappeerpnext
11.0.3:beta18
frappeerpnext
11.0.3:beta19
frappeerpnext
11.0.3:beta2
frappeerpnext
11.0.3:beta20
frappeerpnext
11.0.3:beta21
frappeerpnext
11.0.3:beta22
frappeerpnext
11.0.3:beta23
frappeerpnext
11.0.3:beta24
frappeerpnext
11.0.3:beta25
frappeerpnext
11.0.3:beta26
frappeerpnext
11.0.3:beta27
frappeerpnext
11.0.3:beta28
frappeerpnext
11.0.3:beta29
frappeerpnext
11.0.3:beta3
frappeerpnext
11.0.3:beta4
frappeerpnext
11.0.3:beta5
frappeerpnext
11.0.3:beta6
frappeerpnext
11.0.3:beta7
frappeerpnext
11.0.3:beta8
frappeerpnext
11.0.3:beta9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/frappe/erpnext/issues/15337
https://github.com/frappe/erpnext/issues/15337