SQL Injection Vulnerability in ERPNext 11.1.38: Exploiting frappe.desk.reportview.get Functionality

SQL Injection Vulnerability in ERPNext 11.1.38: Exploiting frappe.desk.reportview.get Functionality

CVE-2020-6145 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.