CVE-2018-3884

Name of the Vulnerable Software and Affected Versions ERPNext version 10.1.6

Description An exploitable SQL injection issue exists in the authenticated part of the software. Specially crafted web requests can cause SQL injections, resulting in data compromise. The sort by and start parameters can be used to perform an SQL injection attack. An attacker can use a browser to trigger this issue, and no special tools are required.

Recommendations For ERPNext version 10.1.6, as a temporary workaround, consider restricting access to the parameters sort by and start to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.