CVE-2018-1292

CWE-89 — SQL Injection4 documents4 sources

Severity

8.1HIGH

EPSS

0.6%

top 31.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Fineract Apache Fineract

Timeline

PublishedApr 20

Latest updateMay 14

Description

Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶NVDapache/fineract4 versions+3

▶CVEListV5apache_software_foundation/apache_fineract4 versions+3

🔴Vulnerability Details

GHSA

GHSA-c8cf-c326-jmwf: Within the 'getReportType' method in Apache Fineract 1↗2022-05-14

▶

CVEList

CVE-2018-1292: Within the 'getReportType' method in Apache Fineract 1↗2018-04-20

▶

💬Community

Bugzilla

CVE-2018-1259 spring-data-commons: XXE with Spring Data’s XMLBeam integration↗2018-05-16

▶