An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The employee and sort_order parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
Metrics
Affected Vendors & Products
References
History
No history.

Status: PUBLISHED
Assigner: talos
Published: 2018-09-12T14:00:00Z
Updated: 2024-09-17T03:43:30.337Z
Reserved: 2018-01-02T00:00:00
Link: CVE-2018-3883

No data.

Status : Modified
Published: 2018-09-12T14:29:01.390
Modified: 2024-11-21T04:06:13.923
Link: CVE-2018-3883

No data.