CVE-2018-1292

Name of the Vulnerable Software and Affected Versions Apache Fineract versions 0.4.0-incubating through 1.0.0

Description The issue allows a hacker to inject SQL, enabling them to read or update data without proper authorization. This is achieved by exploiting the reportName parameter within the getReportType method.

Recommendations For Apache Fineract versions 0.4.0-incubating through 1.0.0, as a temporary workaround, consider restricting access to the getReportType method until a patch is available. Avoid using the reportName parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.