CVE-2017-5663

Name of the Vulnerable Software and Affected Versions Apache Fineract versions 0.4.0-incubating through 0.6.0-incubating

Description The issue allows an authenticated user with specific read permissions to inject malicious SQL into SELECT queries. This is possible due to the lack of sanitization of the sqlSearch parameter, which is directly appended to the query on several endpoints.

Recommendations For Apache Fineract versions 0.4.0-incubating through 0.6.0-incubating, consider restricting access to the sqlSearch parameter to prevent SQL injection attacks until a patch is available. As a temporary workaround, limit the permissions of authenticated users to minimize the risk of exploitation.