Lucene search

TalosCVELIST:CVE-2020-6145

HistoryAug 10, 2020 - 1:10 p.m.

CVE-2020-6145

2020-08-1013:10:24

CWE-89

talos

www.cve.org

sql injection

erpnext

http request

vulnerability

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

29.0%

JSON

An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CNA Affected

[
  {
    "product": "ERPNext",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "ERPNext 11.1.38"
      }
    ]
  }
]

References

talosintelligence.com/vulnerability_reports/TALOS-2020-1091

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

29.0%

JSON

Related for CVELIST:CVE-2020-6145