PT-2018-11477 · Apache · Apache Fineract
圆珠笔
·
Published
2018-04-20
·
Updated
2018-05-22
·
CVE-2018-1292
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Fineract versions 0.4.0-incubating through 1.0.0
Description
The issue allows a hacker to inject SQL, enabling them to read or update data without proper authorization. This is achieved by exploiting the
reportName parameter within the getReportType method.Recommendations
For Apache Fineract versions 0.4.0-incubating through 1.0.0, as a temporary workaround, consider restricting access to the
getReportType method until a patch is available. Avoid using the reportName parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Fineract