Vulnerability Database
299,584
Total vulnerabilities in the database
CVE-2018-20061
A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.
| Software | From | Fixed in |
|---|---|---|
| frappe / erpnext | 10.0.0 | 10.1.76.x |
| frappe / erpnext | 11.0.0 | 11.0.3 |
| frappe / erpnext | 11.0.3-beta2 | 11.0.3-beta2.x |
| frappe / erpnext | 11.0.3-beta3 | 11.0.3-beta3.x |
| frappe / erpnext | 11.0.3-beta4 | 11.0.3-beta4.x |
| frappe / erpnext | 11.0.3-beta5 | 11.0.3-beta5.x |
| frappe / erpnext | 11.0.3-beta6 | 11.0.3-beta6.x |
| frappe / erpnext | 11.0.3-beta7 | 11.0.3-beta7.x |
| frappe / erpnext | 11.0.3-beta8 | 11.0.3-beta8.x |
| frappe / erpnext | 11.0.3-beta9 | 11.0.3-beta9.x |
| frappe / erpnext | 11.0.3-beta10 | 11.0.3-beta10.x |
| frappe / erpnext | 11.0.3-beta11 | 11.0.3-beta11.x |
| frappe / erpnext | 11.0.3-beta12 | 11.0.3-beta12.x |
| frappe / erpnext | 11.0.3-beta13 | 11.0.3-beta13.x |
| frappe / erpnext | 11.0.3-beta14 | 11.0.3-beta14.x |
| frappe / erpnext | 11.0.3-beta15 | 11.0.3-beta15.x |
| frappe / erpnext | 11.0.3-beta16 | 11.0.3-beta16.x |
| frappe / erpnext | 11.0.3-beta17 | 11.0.3-beta17.x |
| frappe / erpnext | 11.0.3-beta18 | 11.0.3-beta18.x |
| frappe / erpnext | 11.0.3-beta19 | 11.0.3-beta19.x |
| frappe / erpnext | 11.0.3-beta20 | 11.0.3-beta20.x |
| frappe / erpnext | 11.0.3-beta21 | 11.0.3-beta21.x |
| frappe / erpnext | 11.0.3-beta22 | 11.0.3-beta22.x |
| frappe / erpnext | 11.0.3-beta23 | 11.0.3-beta23.x |
| frappe / erpnext | 11.0.3-beta24 | 11.0.3-beta24.x |
| frappe / erpnext | 11.0.3-beta25 | 11.0.3-beta25.x |
| frappe / erpnext | 11.0.3-beta26 | 11.0.3-beta26.x |
| frappe / erpnext | 11.0.3-beta27 | 11.0.3-beta27.x |
| frappe / erpnext | 11.0.3-beta28 | 11.0.3-beta28.x |
| frappe / erpnext | 11.0.3-beta29 | 11.0.3-beta29.x |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime