High severity8.8NVD Advisory· Published Dec 14, 2017· Updated May 13, 2026

CVE-2017-5663

Description

In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of endpoints is not sanitized and appended directly to the query.

Affected products

Apache/Fineract3 versions
cpe:2.3:a:apache:fineract:0.4.0-incubating:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:apache:fineract:0.4.0-incubating:*:*:*:*:*:*:*
- cpe:2.3:a:apache:fineract:0.5.0-incubating:*:*:*:*:*:*:*
- cpe:2.3:a:apache:fineract:0.6.0-incubating:*:*:*:*:*:*:*
Apache Software Foundation/Apache Fineractv5
Range: 0.4.0-incubating

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apache.org/thread.html/757feeffe45a75d3c0d08b551e71fabdae5d352543be2342b6ba2c93%40%3Cdev.fineract.apache.org%3Envd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000