CVE-2018-3885

Name of the Vulnerable Software and Affected Versions ERPNext version 10.1.6

Description An exploitable SQL injection issue exists in the authenticated part of the software. Specially crafted web requests can cause SQL injections, resulting in data compromise. The order by parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger this issue, and no special tools are required.

Recommendations For ERPNext version 10.1.6, avoid using the order by parameter in affected API endpoints until the issue is resolved. As a temporary workaround, consider restricting access to authenticated parts of the software to minimize the risk of exploitation.