CVE-2018-3884

Summary

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The sort_by and start parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

Affected Software

VendorProductVersion RangeStatus
TalosERPNextERPNext v10.1.6 (master)affected

Weaknesses

  • SQL injection

ADP Enrichment

CVE Program Container

Additional References

References