Thursday, September 6, 2018

Vulnerability Spotlight: TALOS-2018-0560 - ERPNext SQL Injection Vulnerabilities

Vulnerabilities discovered by Yuri Kramarz from the Cisco Security Advisor Team


Overview

Talos is disclosing multiple SQL injection vulnerabilities in the Frappe ERPNext Version 10.1.6 application. Frappe ERPNext is an open-source enterprise resource planning (ERP) cloud application. These vulnerabilities enable an attacker to bypass authentication and get unauthenticated access to sensitive data. An attacker can use a normal web browser to trigger these vulnerabilities — no special tools are required.

Details

The vulnerabilities were assigned to the CVE IDs CVE-2018-3882 - CVE-2018-3885. An attacker can use the following parameters for SQL injection:

CVE-2018-3882 - searchfield parameter
query=erpnext.controllers.queries.

CVE-2018-3883 - employee parameter
cmd=erpnext.hr.doctype.leave_application.leave_application.

CVE-2018-3883 - sort_order parameter
cmd=erpnext.stock.dashboard.item_dashboard.

CVE-2018-3884 - sort_by parameter 
cmd=erpnext.stock.dashboard.item_dashboard.

CVE-2018-3884 - start parameter
cmd=erpnext.stock.dashboard.item_dashboard.

CVE-2018-3885
cmd=frappe.desk.reportview.

More technical details can be found in the Talos vulnerability reports.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 46165-46172





No comments:

Post a Comment