Vulnerability Spotlight: TALOS-2018-0560 - ERPNext SQL Injection Vulnerabilities

2018-09-06T06:39:00
ID TALOSBLOG:AFC8AC0CE0E5E3827DAEBC9EEBFCB44C
Type talosblog
Reporter noreply@blogger.com (Holger Unterbrink)
Modified 2018-09-06T16:52:25

Description

Vulnerabilities discovered by Yuri Kramar from the Cisco Security Advisor Team

Overview

Talos is disclosing multiple SQL injection vulnerabilities in the Frappe ERPNext Version 10.1.6 application. Frappe ERPNext is an open-source enterprise resource planning (ERP) cloud application. These vulnerabilities enable an attacker to bypass authentication and get unauthenticated access to sensitive data. An attacker can use a normal web browser to trigger these vulnerabilities — no special tools are required.

Details

The vulnerabilities were assigned to the CVE IDs CVE-2018-3882 - CVE-2018-3885. An attacker can use the following parameters for SQL injection:

CVE-2018-3882 - searchfield parameter
query=erpnext.controllers.queries.


_CVE-2018-3883 - employee parameter
_cmd=erpnext.hr.doctype.leave_application.leave_application.

CVE-2018-3883 - sort_order parameter
cmd=erpnext.stock.dashboard.item_dashboard.

CVE-2018-3884 - sort_by parameter

cmd=erpnext.stock.dashboard.item_dashboard.

CVE-2018-3884 - start parameter
cmd=erpnext.stock.dashboard.item_dashboard.

CVE-2018-3885
cmd=frappe.desk.reportview.

More technical details can be found in the Talos vulnerability reports.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 46165-46172