Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2018-20061
Analyzed
More InfoOfficial Page
Source-cve@mitre.org
View Known Exploited Vulnerability (KEV) details
Published At-11 Dec, 2018 | 17:29
Updated At-02 Jan, 2019 | 14:50

A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.07.5HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
CPE Matches
frappe
frappe
>>erpnext>>Versions from 10.0.0(inclusive) to 10.1.76(inclusive)
cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*
frappe
frappe
>>erpnext>>Versions from 11.0.0(inclusive) to 11.0.3(exclusive)
cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta10:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta11:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta12:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta13:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta14:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta15:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta16:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta17:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta18:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta19:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta2:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta20:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta21:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta22:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta23:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta24:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta25:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta26:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta27:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta28:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta29:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta3:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta4:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta5:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta6:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta7:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta8:*:*:*:*:*:*
frappe
frappe
>>erpnext>>11.0.3
cpe:2.3:a:frappe:erpnext:11.0.3:beta9:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-89Primarynvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/frappe/erpnext/issues/15337cve@mitre.org
Third Party Advisory
Change History
0Changes found
Details not found