CVE-2018-3883

Name of the Vulnerable Software and Affected Versions ERPNext version 10.1.6

Description An exploitable SQL injection issue exists in the authenticated part of the software. Specially crafted web requests can cause SQL injections, resulting in data compromise. The employee and sort order parameters can be used to perform an SQL injection attack. An attacker can use a browser to trigger this issue, and no special tools are required.

Recommendations For ERPNext version 10.1.6, consider restricting access to the authenticated part of the software and avoid using the employee and sort order parameters in web requests until a fix is available. As a temporary workaround, restrict the use of these parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.