cvedb.io
CVE-2018-20061
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2018-12-11T17:29:00.507 · Last modified 2026-06-17T01:52:14.180

Summary

A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.

Affected products

frappe — erpnext

Does this affect you?

Add your gear to cvedb and we'll alert you only when frappe ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.