CVE-2018-3882

Source
https://cve.org/CVERecord?id=CVE-2018-3882
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-3882.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-3882
Published
2018-09-12T14:29:01.267Z
Modified
2026-07-08T23:58:07.877879Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The searchfield parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

References

Affected packages

Git / github.com/frappe/erpnext

Affected ranges

Type
GIT
Repo
https://github.com/frappe/erpnext
Events
Database specific
{
    "cpe": "cpe:2.3:a:frappe:erpnext:10.1.6:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "10.1.6"
        },
        {
            "last_affected": "10.1.6"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

10.*
10.1.6
v10.*
v10.1.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-3882.json"