20 matches found
CVE-2024-32838
CVE-2024-32838 affects Apache Fineract, specifically SQL injection in the offices API endpoint (and related endpoints such as dashboards). Vulnerable products are Fineract versions 1.9 and earlier; the issue allows an authenticated attacker to inject malicious data into REST API query parameters....
CVE-2024-23538
CVE-2024-23538 concerns Apache Fineract prior to version 1.8.5, where an SQL Injection can be triggered by improper neutralization in the sqlSearch parameter. The vulnerability stems from unsafely constructed SQL statements, enabling an attacker to view, modify, or delete data in the backend data...
CVE-2023-25197
Apache Fineract has a SQL injection vulnerability (CVE-2023-25197) due to improper neutralization of special elements in certain procedure calls. Affected versions are 1.4 through 1.8.2 (some sources note up to 1.8.3). Authorized users may exploit this with limited impact on components. The root ...
CVE-2023-25195
CVE-2023-25195 describes a Server-Side Request Forgery (SSRF) in Apache Fineract 1.4–1.8.3. Authorized users with limited permissions can cause the server to initiate outbound requests, potentially exposing intranet information or attacking intranet services. The Red Hat, NVD, CNVD, and OSV recor...
CVE-2024-23539
CVE-2024-23539 affects Apache Fineract up to version 1.8.5 (pre-1.8.5). The issue is an SQL Injection vulnerability arising from improper neutralization of special elements in the sqlSearch parameter of specific endpoints, enabling an attacker to view, add, modify, or delete information in the ba...
CVE-2022-44635
CVE-2022-44635 affects Apache Fineract up to version 1.8.0. A path traversal vulnerability in the file upload component allows an authenticated user to trigger remote code execution. Impact and exploitability details indicate a network-remote condition with high risk (authenticated with low privi...
CVE-2023-25196
The CVE-2023-25196 entry concerns an SQL Injection vulnerability in Apache Fineract. Affected software is Apache Fineract versions 1.4 through 1.8.2 (as per multiple sources). The root cause is improper neutralization of special elements used in SQL commands, enabling authorized users to change o...
CVE-2024-23537
CVE-2024-23537 is an elevation-of-privilege vulnerability in Apache Fineract . Reports describe an improper privilege management issue that, under certain circumstances, could allow users to escalate to any role. Affected versions are listed as earlier than 1.9.0, with 1.9.0 identified as the fix...
CVE-2018-11800
CVE-2018-11800 affects Apache Fineract prior to 1.3.0, enabling SQL injection through a query on the GroupSummaryCounts related table. CVSSv3 base score 9.8 (CRITICAL); CVSSv2 base score 7.5 (HIGH).
CVE-2018-11801
CVE-2018-11801 pertains to Apache Fineract and is a SQL injection vulnerability present in versions before 1.3.0, allowing an attacker to execute arbitrary SQL commands via a query on a center-related table. The issue is documented across multiple sources (NVD entry and CNVD/OSV entries) with con...
CVE-2018-1292
Apache Fineract exposes an SQL injection in getReportType across multiple versions (1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating) via the reportName parameter, enabling a potentially authenticated attacker to read or update data without authorization. The root cause is improper han...
CVE-2018-1291
CVE-2018-1291 affects Apache Fineract releases 1.0.0, 0.6.0-incubating, 0.5.0-incubating, and 0.4.0-incubating. The flaw arises in REST endpoints that expose domain-specific queries using an orderBy parameter whose value is appended directly into SQL statements, enabling an attacker to craft the ...
CVE-2018-1289
Summary: CVE-2018-1289 affects Apache Fineract up to 1.0.0 and older 0.x-incubating releases. The vulnerability arises because REST endpoints expose domain entities with query parameters orderBy and sortOrder that are appended directly into SQL statements. This allows a hacker to craft the parame...
CVE-2020-17514
Apache Fineract up to version 1.5.0 disables HTTPS hostname verification in ProcessorHelper.configureClient, enabling potential MITM if hostname checks are not performed. This affects the client-communication security path and is documented across multiple sources (e.g., RH security pages and CVE...
CVE-2017-5663
CVE-2017-5663 affects Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating. An authenticated user with read permissions on client/loan/center/staff/group can inject malicious SQL into SELECT queries via the sqlSearch parameter across several endpoints where input is appended d...
CVE-2018-1290
Apache Fineract vulnerability CVE-2018-1290 is confirmed in multiple 1.0.x/0.x-incubating releases. The issue is an SQL injection caused by improper handling of a single quotation escape with two consecutive SQL parameters, exploitable via methods such as retrieveAuditEntries (AuditsApiResource) ...
CVE-2018-20243
The CVE-2018-20243 entry documents a credential exposure caused by using POST with the username and password in URL parameters. Connected sources (Red Hat advisory, NVD listing, OSV, etc.) confirm the same description, referencing fineract Jira issues 726 and 629 as the context. The available mat...
CVE-2025-23408
CVE-2025-23408 concerns Apache Fineract and is described as a Weak Password Requirements vulnerability. Affected versions are listed as through 1.10.1, with a fix in 1.11.0. Upgrading to the latest release (1.13.0) is advised. The root cause is a weak password policy that could undermine authenti...
CVE-2025-58137
CVE-2025-58137 describes an Authorization Bypass via a User-Controlled Key in Apache Fineract (IDOR). Affected product: Apache Fineract up to 1.11.0; fixed in 1.12.1, with guidance to upgrade to 1.13.0. Root cause per CNVD: insecure direct object reference (IDOR) leading to authorization bypass. ...
CVE-2025-58130
Apache Fineract is affected by an Insufficiently Protected Credentials vulnerability up to version 1.11.0. The issue is fixed in 1.12.1, and users are advised to upgrade to 1.13.0 (latest release). The primary public details indicate credential exposure risk but do not describe specific exploitat...