CVE-2020-6145

Name of the Vulnerable Software and Affected Versions ERPNext version 11.1.38

Description A vulnerability exists in the frappe.desk.reportview.get functionality, allowing for SQL injection. This can be triggered by a specially crafted HTTP request, enabling an attacker to exploit the issue through an authenticated HTTP request.

Recommendations For ERPNext version 11.1.38, consider restricting access to the frappe.desk.reportview.get functionality until a patch is available. As a temporary workaround, limit the use of this functionality to minimize the risk of exploitation.