CVE-2018-20061

Name of the Vulnerable Software and Affected Versions ERPNext versions 10.x through 11.0.3-beta.29

Description A SQL injection issue was discovered that allows an attacker to construct SQL queries to return any columns from any tables in the database. This issue is related to the /api/resource/Item?fields= API endpoint, frappe.get list, and frappe.call(). The attack is only available to a logged-in user, but many sites allow account creation via the web, and no special privileges are needed to conduct the attack.

Recommendations For ERPNext versions 10.x through 11.0.3-beta.29, consider restricting access to the /api/resource/Item?fields= API endpoint until a patch is available. As a temporary workaround, avoid using the frappe.get list and frappe.call() functions with untrusted input. At the moment, there is no information about a newer version that contains a fix for this vulnerability.