How severe is CVE-2018-20061?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2018-20061?

This is classified as CWE-89, which is a common weakness in software security.

CVE-2018-20061 - HIGH Severity | CVSS 7.5

Vulnerability Description

A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.

Related Vulnerabilities

CVE-2007-10001

HIGH

CVSS:7.5(High)

A vulnerability classified as problematic has been found in web-cyradm. This affects an unknown part of the file search.php. The manipulation of the argument searchstring leads to sql injection. It is...

CWE-892007

CVE-2016-10556

HIGH

CVSS:7.5(High)

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsof...

CWE-892016

CVE-2016-20018

HIGH

CVSS:7.5(High)

Knex Knex.js through 2.3.0 has a limited SQL injection vulnerability that can be exploited to ignore the WHERE clause of a SQL query.

CWE-892016

CVE-2016-6419

HIGH

CVSS:7.5(High)

SQL injection vulnerability in Cisco Firepower Management Center 4.10.3 through 5.4.0 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCur25485...

CWE-892016

CVE-2016-6616

HIGH

CVSS:7.5(High)

An issue was discovered in phpMyAdmin. In the "User group" and "Designer" features, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6...

CWE-892016

CVE-2016-7508

HIGH

CVSS:7.5(High)

Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 ...

CWE-892016