SQL Injection vulnerability exists in Apache Fineract's Report Execution API (runreports endpoint) in versions up to…
Summary
A SQL Injection vulnerability exists in Apache Fineract's Report Execution API (runreports endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run reports to inject arbitrary SQL via crafted parameter values. This can be leveraged to perform unauthorized access to data beyond what the report was designed to expose. Users are recommended to upgrade to a version containing the fix.
What this means
In plain English
A SQL Injection vulnerability exists in Apache Fineract's Report Execution API (runreports endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run reports to inject arbitrary SQL via crafted parameter values. This can be leveraged to perform unauthorized access to data beyond what the report was designed to expose. Users are recommended to upgrade to a version containing the fix. SQL injection can cause attacker-controlled input to be interpreted as a database query, putting stored data and application integrity at risk.
Recommended action
Vendor mitigation: Users are recommended to upgrade to a version containing the fix. No fixed release is recorded in the parsed advisory, so treat these controls as temporary until the vendor confirms a patched release.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
- 1.14.0
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Fixed versions
No fixed release is recorded yet. That does not prove no patch exists — confirm against the vendor advisory.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Users are recommended to upgrade to a version containing the fix.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.