CVE-2018-20061
- Source
- https://cve.org/CVERecord?id=CVE-2018-20061
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20061.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-20061
- Published
- 2018-12-11T17:29:00.507Z
- Modified
- 2026-03-14T09:31:40.475154Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.
- References
Affected packages
Git / github.com/frappe/erpnext
Affected versions
v10.*
v10.0.0
v10.0.1
v10.0.10
v10.0.11
v10.0.12
v10.0.13
v10.0.14
v10.0.15
v10.0.16
v10.0.17
v10.0.18
v10.0.19
v10.0.2
v10.0.20
v10.0.21
v10.0.22
v10.0.23
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v10.0.7
v10.0.8
v10.0.9
v10.1.0
v10.1.1
v10.1.10
v10.1.11
v10.1.12
v10.1.13
v10.1.14
v10.1.15
v10.1.16
v10.1.17
v10.1.18
v10.1.19
v10.1.2
v10.1.20
v10.1.21
v10.1.22
v10.1.23
v10.1.24
v10.1.25
v10.1.26
v10.1.27
v10.1.28
v10.1.29
v10.1.3
v10.1.30
v10.1.31
v10.1.32
v10.1.33
v10.1.34
v10.1.35
v10.1.36
v10.1.37
v10.1.38
v10.1.39
v10.1.4
v10.1.40
v10.1.41
v10.1.42
v10.1.43
v10.1.44
v10.1.45
v10.1.46
v10.1.47
v10.1.48
v10.1.49
v10.1.5
v10.1.50
v10.1.51
v10.1.52
v10.1.53
v10.1.54
v10.1.55
v10.1.56
v10.1.57
v10.1.58
v10.1.59
v10.1.6
v10.1.60
v10.1.61
v10.1.62
v10.1.63
v10.1.64
v10.1.65
v10.1.66
v10.1.67
v10.1.68
v10.1.69
v10.1.7
v10.1.70
v10.1.71
v10.1.72
v10.1.73
v10.1.74
v10.1.75
v10.1.76
v10.1.8
v10.1.9
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20061.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta10"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta11"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta12"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta13"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta14"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta15"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta16"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta17"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta18"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta19"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta20"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta21"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta22"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta23"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta24"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta25"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta26"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta27"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta28"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta29"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta7"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta8"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.3-beta9"
}
]
}
]