Mihaly Dallos created FINERACT-2024: ---------------------------------------
Summary: Error- based SQL Injection vulnerabilities in 3 endpoints Key: FINERACT-2024 URL: https://issues.apache.org/jira/browse/FINERACT-2024 Project: Apache Fineract Issue Type: Bug Reporter: Mihaly Dallos Assignee: Peter Bagrij Fix For: 1.9.0 *SQL Injection at /fineract-provider/api/v1/loans* The sqlSearch parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the sqlSearch parameter, and a database error message was returned. *SQL Injection at /fineract-provider/api/v1/datatables/cdvfbn* The URL path filename appears to be vulnerable to SQL injection attack. A single quote was submitted in the URL path filename, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. *SQL Injection at /fineract-provider/api/v1/datatables/dfgh* The URL path filename appears to be vulnerable to SQL injection attacks. (276 kB) https://festive-quiet-137.notion.site/SQL-Injection-at-fineract-provider-api-v1-datatables-dfgh-6c6649a66b2446999e74a060db0a4c32 *SQL Injection at /fineract-provider/api/v1/clients* The sqlSearch parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the sqlSearch parameter, and a database error message was returned. -- This message was sent by Atlassian Jira (v8.20.10#820010)