Lucene search

K
ApacheFineract0.4.0

5 matches found

CVE
CVE
added 2018/04/20 6:29 p.m.37 views

CVE-2018-1289

In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' and 'sortOrder' which are appended directly with SQL statements. A hacker/user can inject/draft th...

8.8CVSS8.8AI score0.00562EPSS
CVE
CVE
added 2018/04/20 6:29 p.m.37 views

CVE-2018-1292

Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter.

8.1CVSS8.1AI score0.006EPSS
CVE
CVE
added 2018/04/20 6:29 p.m.36 views

CVE-2018-1291

Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' query parameter by way of th...

8.1CVSS8.2AI score0.00265EPSS
CVE
CVE
added 2018/04/20 6:29 p.m.35 views

CVE-2018-1290

In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class and retrieveCommands of Makerchec...

9.8CVSS9.7AI score0.00617EPSS
CVE
CVE
added 2020/10/13 7:15 p.m.26 views

CVE-2018-20243

The implementation of POST with the username and password in the URL parameters exposed the credentials. More infomration is available in fineract jira issues 726 and 629.

7.5CVSS7.6AI score0.00681EPSS