This is an automated email from the ASF dual-hosted git repository.
meonkeys pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/fineract-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new fad1898 add latest security reports
fad1898 is described below
commit fad189826ed037034de6cb3e91c1785749967ab4
Author: Adam Monsen <[email protected]>
AuthorDate: Thu Dec 11 13:08:37 2025 -0800
add latest security reports
also, prepare to migrate past reports from
https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report
to https://fineract.apache.org/security.html . The new Markdown source
will hopefully be much easier to keep clean and consistent.
---
.gitignore | 2 +-
css/security.css | 51 +++++
index.html | 4 +-
security.html | 494 ++++++++++++++++++++++++++++++++++++++++++++++
src/security/Makefile | 17 ++
src/security/Readme.md | 26 +++
src/security/favicon.html | 1 +
src/security/security.md | 322 ++++++++++++++++++++++++++++++
8 files changed, 914 insertions(+), 3 deletions(-)
diff --git a/.gitignore b/.gitignore
index 525d280..2f584a8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
.idea/
.DS_Store
-
+src/security/security.html
diff --git a/css/security.css b/css/security.css
new file mode 100644
index 0000000..2833bc9
--- /dev/null
+++ b/css/security.css
@@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+html {
+ font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto,
Oxygen-Sans, Ubuntu, Cantarell, 'Helvetica Neue', sans-serif;
+ line-height: 1.6;
+ background-color: #f8f8ff;
+ color: #343434;
+ font-size: 1.2rem;
+ padding: 0 3rem;
+ font-weight: 300;
+}
+
+td {
+ padding: 2px 10px 2px 10px;
+ border: 1px solid;
+}
+
+strong {
+ font-weight: 600;
+}
+
+a {
+ color: #26a69a;
+}
+
+@media (prefers-color-scheme: dark) {
+ html {
+ background-color: #121212;
+ color: #ffffff;
+ }
+
+ a {
+ color: #4db6ac;
+ }
+}
diff --git a/index.html b/index.html
index 45d05d0..dda8036 100644
--- a/index.html
+++ b/index.html
@@ -1008,11 +1008,11 @@
<strong>Current Documentation</strong>
<p class="grey-text">System documentation</p>
</a>
- <a href="https://fineract.apache.org/docs/legacy/index.html";
class="collection-item">
+ <a href="https://fineract.apache.org/docs/legacy/";
class="collection-item">
<strong>API Documentation</strong>
<p class="grey-text">Legacy API reference</p>
</a>
- <a href="https://cwiki.apache.org/confluence/x/nK9zB";
class="collection-item">
+ <a href="security.html" class="collection-item">
<strong>Security Reports</strong>
<p class="grey-text">Fixed security issues and updates</p>
</a>
diff --git a/security.html b/security.html
new file mode 100644
index 0000000..61ca48a
--- /dev/null
+++ b/security.html
@@ -0,0 +1,494 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml"; lang="" xml:lang="">
+<head>
+ <meta charset="utf-8" />
+ <meta name="generator" content="pandoc" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0,
user-scalable=yes" />
+ <title>Apache Fineract Security Reports</title>
+ <style>
+ /* Default styles provided by pandoc.
+ ** See https://pandoc.org/MANUAL.html#variables-for-html for config info.
+ */
+ code{white-space: pre-wrap;}
+ span.smallcaps{font-variant: small-caps;}
+ div.columns{display: flex; gap: min(4vw, 1.5em);}
+ div.column{flex: auto; overflow-x: auto;}
+ div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
+ /* The extra [class] is a hack that increases specificity enough to
+ override a similar rule in reveal.js */
+ ul.task-list[class]{list-style: none;}
+ ul.task-list li input[type="checkbox"] {
+ font-size: inherit;
+ width: 0.8em;
+ margin: 0 0.8em 0.2em -1.6em;
+ vertical-align: middle;
+ }
+ .display.math{display: block; text-align: center; margin: 0.5rem auto;}
+ </style>
+ <link rel="stylesheet" href="css/security.css" />
+ <link rel="icon" type="image/png" href="images/apache-fineract-icon.png">
+</head>
+<body>
+<nav id="TOC" role="doc-toc">
+<ul>
+<li><a href="#apache-fineract-security-reports"
id="toc-apache-fineract-security-reports">Apache Fineract Security Reports</a>
+<ul>
+<li><a href="#fixed-in-apache-fineract-1.12.1"
id="toc-fixed-in-apache-fineract-1.12.1">Fixed in Apache Fineract
1.12.1</a></li>
+<li><a href="#fixed-in-apache-fineract-1.11.0"
id="toc-fixed-in-apache-fineract-1.11.0">Fixed in Apache Fineract
1.11.0</a></li>
+<li><a href="#fixed-in-apache-fineract-1.10.1"
id="toc-fixed-in-apache-fineract-1.10.1">Fixed in Apache Fineract
1.10.1</a></li>
+<li><a href="#fixed-in-apache-fineract-1.9.0"
id="toc-fixed-in-apache-fineract-1.9.0">Fixed in Apache Fineract 1.9.0</a></li>
+<li><a href="#fixed-in-apache-fineract-1.8.4-and-1.7.3"
id="toc-fixed-in-apache-fineract-1.8.4-and-1.7.3">Fixed in Apache Fineract
1.8.4 and 1.7.3</a></li>
+<li><a href="#fixed-in-apache-fineract-1.8.1-and-1.7.1"
id="toc-fixed-in-apache-fineract-1.8.1-and-1.7.1">Fixed in Apache Fineract
1.8.1 and 1.7.1</a></li>
+<li><a href="#fixed-in-apache-fineract-1.5.0"
id="toc-fixed-in-apache-fineract-1.5.0">Fixed in Apache Fineract 1.5.0</a></li>
+<li><a href="#fixed-in-apache-fineract-1.4.0"
id="toc-fixed-in-apache-fineract-1.4.0">Fixed in Apache Fineract 1.4.0</a></li>
+<li><a href="#fixed-in-apache-fineract-1.3.0"
id="toc-fixed-in-apache-fineract-1.3.0">Fixed in Apache Fineract 1.3.0</a></li>
+<li><a href="#fixed-in-apache-fineract-1.1.0"
id="toc-fixed-in-apache-fineract-1.1.0">Fixed in Apache Fineract 1.1.0</a></li>
+<li><a href="#fixed-in-apache-fineract-1.0.0"
id="toc-fixed-in-apache-fineract-1.0.0">Fixed in Apache Fineract 1.0.0</a></li>
+<li><a href="#notable-fineract-security-policy-updates"
id="toc-notable-fineract-security-policy-updates">Notable Fineract security
policy updates</a></li>
+<li><a href="#editing-this-document" id="toc-editing-this-document">Editing
this document</a></li>
+</ul></li>
+</ul>
+</nav>
+<h1 id="apache-fineract-security-reports">Apache Fineract Security Reports</h1>
+<!--
+Copyright ©2025 The Apache Software Foundation.
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+this file except in compliance with the License. You may obtain a copy of the
+License at
+
+https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed
+under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+-->
+<p>This page lists all security vulnerabilities fixed in released versions of
Apache Fineract. Each vulnerability is reported via <a
href="http://www.apache.org/security/";>the ASF process</a> and given a security
impact rating.</p>
+<p>If you have identified a security issue, let us know immediately via email
to security AT fineract.apache.org. And be sure to <a
href="https://fineract.apache.org/docs/current/#_securing_fineract";>secure your
Fineract server</a>!</p>
+<h2 id="fixed-in-apache-fineract-1.12.1">Fixed in Apache Fineract 1.12.1</h2>
+<h3 id="cve-2025-58137-auth-bypass-through-user-controlled-key"><a
href="https://www.cve.org/CVERecord?id=CVE-2025-58137";>CVE-2025-58137</a>: auth
bypass through user-controlled key</h3>
+<p>Authorization Bypass Through User-Controlled Key vulnerability in Apache
Fineract.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2024-10-07</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2025-05-16</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.11.0 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>Thank you Peter Chen with PayPal Security for identifying the issue. Thank
you Ádám Sághy, Aleksandar Vidakovic, and Victor Romero for fixing it.</p>
+<h3 id="cve-2025-58130-insufficiently-protected-credentials"><a
href="https://www.cve.org/CVERecord?id=CVE-2025-58130";>CVE-2025-58130</a>:
insufficiently protected credentials</h3>
+<p>Insufficiently Protected Credentials vulnerability in Apache Fineract.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2024-10-07</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2025-04-14</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.11.0 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>Thank you Peter Chen with PayPal Security for identifying the issue. Thank
you Jose Alberto Hernandez and Ádám Sághy for fixing it.</p>
+<h2 id="fixed-in-apache-fineract-1.11.0">Fixed in Apache Fineract 1.11.0</h2>
+<h3 id="cve-2025-23408-weak-password-policy"><a
href="https://www.cve.org/CVERecord?id=CVE-2025-23408";>CVE-2025-23408</a>: weak
password policy</h3>
+<p>Weak Password Requirements vulnerability in Apache Fineract.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2024-10-07</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2024-11-11</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.10.1 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>Thank you Peter Chen with PayPal Security for identifying the issue. Thank
you Kristof Jozsa with BaaSFlow for fixing it.</p>
+<h2 id="fixed-in-apache-fineract-1.10.1">Fixed in Apache Fineract 1.10.1</h2>
+<h3 id="cve-2024-32838-sql-injection---various"><a
href="https://www.cve.org/CVERecord?id=CVE-2024-32838";>CVE-2024-32838</a>: SQL
injection - various</h3>
+<p>SQL Injection vulnerability in various API endpoints - offices, dashboards,
etc. Apache Fineract versions 1.9 and before have a vulnerability that allows
an authenticated attacker to inject malicious data into some of the REST API
endpoints’ query parameter. Users are recommended to upgrade to version 1.10.1,
which fixes this issue. A SQL Validator has been implemented which allows us to
configure a series of tests and checks against our SQL queries that will allow
us to validate and [...]
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2024-04-18</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2024-05-01</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.9.0 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We acknowledge Kabilan S - Security engineer at Zoho, for identifying the
issue and Aleksandar for resolving it.</p>
+<h2 id="fixed-in-apache-fineract-1.9.0">Fixed in Apache Fineract 1.9.0</h2>
+<h3 id="cve-2024-23539-vulnerable-endpoints"><a
href="https://www.cve.org/CVERecord?id=CVE-2024-23539";>CVE-2024-23539</a>:
vulnerable endpoints</h3>
+<p>Under certain system configurations, the sqlSearch parameter for specific
endpoints was vulnerable to SQL injection attacks, potentially allowing
attackers to manipulate database queries.</p>
+<p>Fixed by <a href="https://github.com/apache/fineract/pull/3621";
class="uri">https://github.com/apache/fineract/pull/3621</a>.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2023-09-04</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2023-12-06</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.8.4 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We thank Yash Sancheti of GH Solutions Consultants for reporting this
issue.</p>
+<h3 id="cve-2024-23538-sql-injection---sqlsearch"><a
href="https://www.cve.org/CVERecord?id=CVE-2024-23538";>CVE-2024-23538</a>: SQL
injection - sqlSearch</h3>
+<p>Under certain system configurations, the sqlSearch parameter was vulnerable
to blind SQL injection attacks, potentially allowing attackers to manipulate
database queries.</p>
+<p>Fixed by <a href="https://github.com/apache/fineract/pull/3626";
class="uri">https://github.com/apache/fineract/pull/3626</a>.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2023-08-09</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2023-12-06</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.8.4 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We thank Majd Alasfar of ProgressSoft for reporting this issue.</p>
+<h3 id="cve-2024-23537-privilege-escalation"><a
href="https://www.cve.org/CVERecord?id=CVE-2024-23537";>CVE-2024-23537</a>:
privilege escalation</h3>
+<p>Under certain circumstances, this vulnerability allowed users, without
specific permissions, to escalate their privileges to any role, including super
user status. This flaw could enable users to gain control over user
management.</p>
+<p>Fixed by <a href="https://github.com/apache/fineract/pull/3626";
class="uri">https://github.com/apache/fineract/pull/3626</a>.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2023-09-04</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2023-12-06</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.8.4 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We thank Yash Sancheti of GH Solutions Consultants for reporting this
issue.</p>
+<h2 id="fixed-in-apache-fineract-1.8.4-and-1.7.3">Fixed in Apache Fineract
1.8.4 and 1.7.3</h2>
+<h3 id="cve-2023-25197-sql-injection"><a
href="https://www.cve.org/CVERecord?id=CVE-2023-25197";>CVE-2023-25197</a>: SQL
injection</h3>
+<p>Improper Neutralization of Special Elements used in an SQL Command (‘SQL
Injection’) vulnerability in Apache Software Foundation apache fineract.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td></td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td></td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.8.3 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank Eugene Lim at Cyber Security Group (CSG) Government
Technology Agency GOVTECH.sg, for reporting this issue, and the Apache Security
team for their assistance. Thank you to Aleksandar Vidakovic for resolving this
CVE.</p>
+<h3 id="cve-2023-25196-sql-injection"><a
href="https://www.cve.org/CVERecord?id=CVE-2023-25196";>CVE-2023-25196</a>: SQL
injection</h3>
+<p>Improper Neutralization of Special Elements used in an SQL Command (‘SQL
Injection’) vulnerability in Apache Software Foundation Apache Fineract.
Authorized users may be able to change or add data in certain components.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2022-12-02</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2023-03-01</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.8.3 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank Zhang Baocheng at Leng Jing Qi Cai Security Lab, for
reporting this issue, and the Apache Security team for their assistance. Thank
you to [email protected] for resolving this CVE.</p>
+<h3 id="cve-2023-25195-ssrf"><a
href="https://www.cve.org/CVERecord?id=CVE-2023-25195";>CVE-2023-25195</a>:
SSRF</h3>
+<p>Server-Side Request Forgery (SSRF) vulnerability in Apache Software
Foundation Apache Fineract. Authorized users with limited permissions can gain
access to server and may be able to use server for any outbound traffic.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2022-12-06</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2023-03-01</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.8.3 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank Huydoppa from GHTK, for reporting this issue, and
the Apache Security team for their assistance. Thank you to [email protected]
for resolving this CVE.</p>
+<h2 id="fixed-in-apache-fineract-1.8.1-and-1.7.1">Fixed in Apache Fineract
1.8.1 and 1.7.1</h2>
+<h3 id="cve-2022-44635-file-upload-vulnerability"><a
href="https://www.cve.org/CVERecord?id=CVE-2022-44635";>CVE-2022-44635</a>: file
upload vulnerability</h3>
+<p>Apache Fineract allowed an authenticated user to perform remote code
execution due to a path traversal vulnerability in a file upload component of
Apache Fineract, allowing an attacker to run remote code. This issue affects
Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade
to 1.8.1.</p>
+<p>Under typical deployments, remote code could be run.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2022-10-31</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2022-11-22</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.8.0 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank Sapra co-captain of the Super Guesser CTF team &
Security researcher at CRED, for reporting this issue, and the Apache Security
team for their assistance. We give kudos and karma to Aleksandar Vidakovic for
resolving this CVE.</p>
+<h2 id="fixed-in-apache-fineract-1.5.0">Fixed in Apache Fineract 1.5.0</h2>
+<h3 id="cve-2020-17514-disabled-hostname-verification-for-https"><a
href="https://www.cve.org/CVERecord?id=CVE-2020-17514";>CVE-2020-17514</a>:
disabled hostname verification for HTTPS</h3>
+<p>Apache Fineract disables HTTPS hostname verification in
<code>ProcessorHelper</code> in the <code>configureClient</code> method.</p>
+<p>Under typical deployments, a man in the middle attack could be
successful.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2020-10-15</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2020-10-19</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.4.0 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank <a href="https://github.com/intrigus-lgtm";>Simon
Gerst</a> for reporting this issue, and the Apache Security team for their
assistance.</p>
+<h2 id="fixed-in-apache-fineract-1.4.0">Fixed in Apache Fineract 1.4.0</h2>
+<h3 id="cve-2018-20243-unencrypted-username-and-password-in-url"><a
href="https://www.cve.org/CVERecord?id=CVE-2018-20243";>CVE-2018-20243</a>:
unencrypted username and password in URL</h3>
+<p>The implementation of POST with the username and password in the URL
parameters exposed the credentials. More information is available in Fineract
JIRA issues 726 and 629.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2018-12-31</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2020-01-01</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.3.0 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank <a href="https://github.com/intrigus-lgtm";>Simon
Gerst</a> for reporting this issue, and the Apache Security team for their
assistance.</p>
+<h2 id="fixed-in-apache-fineract-1.3.0">Fixed in Apache Fineract 1.3.0</h2>
+<h3 id="cve-2018-11801-sql-injection---m_center"><a
href="https://www.cve.org/CVERecord?id=CVE-2018-11801";>CVE-2018-11801</a>: SQL
Injection - m_center</h3>
+<p>SQL injection vulnerability in Apache Fineract before 1.3.0 allows
attackers to execute arbitrary SQL commands via a query on a m_center data
related table.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2018-08-29</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2018-12-01</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.2.0 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank Niels Heinen from Google for reporting this issue,
and the Apache Security team for their assistance.</p>
+<h3 id="cve-2018-11800-sql-injection---groupsummarycounts"><a
href="https://www.cve.org/CVERecord?id=CVE-2018-11800";>CVE-2018-11800</a>: SQL
Injection - GroupSummaryCounts</h3>
+<p>SQL injection vulnerability in Apache Fineract before 1.3.0 allows
attackers to execute arbitrary SQL commands via a query on the
GroupSummaryCounts related table.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2018-08-29</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2018-12-01</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.2.0 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank Niels Heinen from Google for reporting this issue,
and the Apache Security team for their assistance.</p>
+<h3 id="cve-2016-4977-rce-as-a-result-of-cve-in-upstream-dependency"><a
href="https://www.cve.org/CVERecord?id=CVE-2016-4977";>CVE-2016-4977</a>: RCE as
a result of CVE in upstream dependency</h3>
+<p>A known vulnerability in spring security upstream dependencies allowed
malicious users to trigger remote code execution.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2018-12-17</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2019-02-01</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.2.0 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank Roberto ([email protected]) for reporting this
issue, and the Apache Security team for their assistance.</p>
+<h2 id="fixed-in-apache-fineract-1.1.0">Fixed in Apache Fineract 1.1.0</h2>
+<h3 id="cve-2018-1292-sql-injection---reportname"><a
href="https://www.cve.org/CVERecord?id=CVE-2018-1292";>CVE-2018-1292</a>: SQL
Injection - reportName</h3>
+<p>Within the ‘getReportType’ method, a hacker could inject SQL to read/update
data for which he doesn’t have authorization for by way of the ‘reportName’
parameter.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2018-01-23</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2018-04-19</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.0.0 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank 圆珠笔 ([email protected]) and the Apache Security team
for reporting this issue.</p>
+<h3 id="cve-2018-1291-sql-injection---order"><a
href="https://www.cve.org/CVERecord?id=CVE-2018-1291";>CVE-2018-1291</a>: SQL
Injection - order</h3>
+<p>Apache Fineract exposes different REST end points to query domain specific
entities with a Query Parameter ‘orderBy’ which are appended directly with SQL
statements. A hacker/user can inject/draft the ‘orderBy’ query parameter by way
of the “order” param in such a way to to read/update the data for which he
doesn’t have authorization.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2018-01-23</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2018-04-19</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.0.0 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank 圆珠笔 ([email protected]) and the Apache Security team
for reporting this issue.</p>
+<h3 id="cve-2018-1290-sql-injection---single-quotation-escape"><a
href="https://www.cve.org/CVERecord?id=CVE-2018-1290";>CVE-2018-1290</a>: SQL
Injection - single quotation escape</h3>
+<p>Using a single quotation escape with two continuous SQL parameters can
cause a SQL injection. This could be done in Methods like retrieveAuditEntries
of AuditsApiResource Class retrieveCommands of MakercheckersApiResource
Class</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2018-01-23</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2018-04-19</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.0.0 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank 圆珠笔 ([email protected]) and the Apache Security team
for reporting this issue.</p>
+<h3 id="cve-2018-1289-sql-injection---orderby-and-sortorder"><a
href="https://www.cve.org/CVERecord?id=CVE-2018-1289";>CVE-2018-1289</a>: SQL
Injection - orderBy and sortOrder</h3>
+<p>Apache Fineract exposes different REST end points to query domain specific
entities with a Query Parameter ‘orderBy’ and ‘sortOrder’ which are appended
directly with SQL statements. A hacker/user can inject/draft the ‘orderBy’ and
‘sortOrder’ query parameter in such a way to read/update the data for which he
doesn’t have authorization.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2018-01-18</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2018-04-19</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>1.0.0 and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank 圆珠笔 ([email protected]) and the Apache Security team
for reporting this issue.</p>
+<h2 id="fixed-in-apache-fineract-1.0.0">Fixed in Apache Fineract 1.0.0</h2>
+<h3 id="cve-2017-5663-sql-injection---sqlsearch"><a
href="https://www.cve.org/CVERecord?id=CVE-2017-5663";>CVE-2017-5663</a>: SQL
Injection - sqlSearch</h3>
+<p>An authenticated user with client/loan/center/staff/group read permissions
is able to inject malicious SQL into SELECT queries. The ‘sqlSearch’ parameter
on a number of endpoints is not sanitized and appended directly to the query.
List of vulnerable endpoints: /staff, /clients, /loans, /centers, /groups.</p>
+<table>
+<tbody>
+<tr>
+<td style="text-align: left;">Report</td>
+<td>2017-04-02</td>
+</tr>
+<tr>
+<td style="text-align: left;">Fix</td>
+<td>2017-12-13</td>
+</tr>
+<tr>
+<td style="text-align: left;">Affects</td>
+<td>0.6.0-incubating and earlier releases</td>
+</tr>
+</tbody>
+</table>
+<p>We would like to thank Alex Ivanov and the Apache Security team for
reporting this issue.</p>
+<h2 id="notable-fineract-security-policy-updates">Notable Fineract security
policy updates</h2>
+<ul>
+<li>January 15, 2025: The project now determines on a case by case basis
whether a CVE fix will be back-ported to any prior release. The default is that
all prior releases are immediately determined as EOL (end of life) when a new
release happens.</li>
+<li>November 29, 2022: In order to ensure that users are given warning of
critical issues, the Apache Fineract project may use its relationship with the
independent Mifos Initiative to ensure that users of the Fineract backend and
Mifos front end UI are informed of such vulnerabilities and are able to assist
in testing and validating patches.</li>
+</ul>
+<h2 id="editing-this-document">Editing this document</h2>
+<p>The <a
href="https://github.com/apache/fineract-site/blob/asf-site/src/security/security.md";>source
for this document</a> is <a
href="https://pandoc.org/MANUAL.html#pandocs-markdown";>plain text with minimal
Pandoc-flavor Markdown</a>. It is <a
href="https://github.com/apache/fineract-site/blob/asf-site/src/security/Readme.md";>rendered
as HTML with Pandoc</a>.</p>
+<p>Keep this document simple and consistent. If you change the structure for
one section, do so throughout the document.</p>
+<p>Major headings are releases in descending order (most recent first). Minor
headings are CVE ids, also in descending order. Always use
<code>www.cve.org</code> for canonical CVE links. Date format for “Report” and
“Fix” fields is <code>YYYY-MM-DD</code>.</p>
+</body>
+</html>
diff --git a/src/security/Makefile b/src/security/Makefile
new file mode 100644
index 0000000..a359ee3
--- /dev/null
+++ b/src/security/Makefile
@@ -0,0 +1,17 @@
+# Copyright ©2025 The Apache Software Foundation.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+security.html: security.md
+ docker run --rm --volume "$(shell pwd):/data" --user $(shell id
-u):$(shell id -g) pandoc/minimal:3.8.3 --to html5 --standalone --wrap=none
--css css/security.css --variable pagetitle='Apache Fineract Security Reports'
--table-of-contents --toc-depth=2 --include-in-header favicon.html --output $@
$<
+ cp security.html ../../
diff --git a/src/security/Readme.md b/src/security/Readme.md
new file mode 100644
index 0000000..59c423e
--- /dev/null
+++ b/src/security/Readme.md
@@ -0,0 +1,26 @@
+<!--
+Copyright ©2025 The Apache Software Foundation.
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+this file except in compliance with the License. You may obtain a copy of the
+License at
+
+https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed
+under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+-->
+
+Sources for <https://fineract.apache.org/security.html>
+
+## To add and update security reports
+
+1. Run `make`.
+1. Open `../../security.html` in a web browser.
+
+## Prerequisites
+
+1. [Make](https://www.gnu.org/software/make/)
+1. [Docker](https://www.docker.com/)
diff --git a/src/security/favicon.html b/src/security/favicon.html
new file mode 100644
index 0000000..a420cb9
--- /dev/null
+++ b/src/security/favicon.html
@@ -0,0 +1 @@
+<link rel="icon" type="image/png" href="images/apache-fineract-icon.png">
diff --git a/src/security/security.md b/src/security/security.md
new file mode 100644
index 0000000..a3c6b1a
--- /dev/null
+++ b/src/security/security.md
@@ -0,0 +1,322 @@
+# Apache Fineract Security Reports
+
+<!--
+Copyright ©2025 The Apache Software Foundation.
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+this file except in compliance with the License. You may obtain a copy of the
+License at
+
+https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed
+under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+-->
+
+This page lists all security vulnerabilities fixed in released versions of
Apache Fineract. Each vulnerability is reported via [the ASF
process](http://www.apache.org/security/) and given a security impact rating.
+
+If you have identified a security issue, let us know immediately via email to
security AT fineract.apache.org. And be sure to [secure your Fineract
server](https://fineract.apache.org/docs/current/#_securing_fineract)!
+
+## Fixed in Apache Fineract 1.12.1
+
+### [CVE-2025-58137](https://www.cve.org/CVERecord?id=CVE-2025-58137): auth
bypass through user-controlled key
+
+Authorization Bypass Through User-Controlled Key vulnerability in Apache
Fineract.
+
+------- --------
+Report 2024-10-07
+Fix 2025-05-16
+Affects 1.11.0 and earlier releases
+------- --------
+
+Thank you Peter Chen with PayPal Security for identifying the issue.
+Thank you Ádám Sághy, Aleksandar Vidakovic, and Victor Romero for fixing it.
+
+### [CVE-2025-58130](https://www.cve.org/CVERecord?id=CVE-2025-58130):
insufficiently protected credentials
+
+Insufficiently Protected Credentials vulnerability in Apache Fineract.
+
+------- --------
+Report 2024-10-07
+Fix 2025-04-14
+Affects 1.11.0 and earlier releases
+------- --------
+
+Thank you Peter Chen with PayPal Security for identifying the issue.
+Thank you Jose Alberto Hernandez and Ádám Sághy for fixing it.
+
+## Fixed in Apache Fineract 1.11.0
+
+### [CVE-2025-23408](https://www.cve.org/CVERecord?id=CVE-2025-23408): weak
password policy
+
+Weak Password Requirements vulnerability in Apache Fineract.
+
+------- --------
+Report 2024-10-07
+Fix 2024-11-11
+Affects 1.10.1 and earlier releases
+------- --------
+
+Thank you Peter Chen with PayPal Security for identifying the issue.
+Thank you Kristof Jozsa with BaaSFlow for fixing it.
+
+## Fixed in Apache Fineract 1.10.1
+
+### [CVE-2024-32838](https://www.cve.org/CVERecord?id=CVE-2024-32838): SQL
injection - various
+
+SQL Injection vulnerability in various API endpoints - offices, dashboards,
etc. Apache Fineract versions 1.9 and before have a vulnerability that allows
an authenticated attacker to inject malicious data into some of the REST API
endpoints' query parameter. Users are recommended to upgrade to version 1.10.1,
which fixes this issue. A SQL Validator has been implemented which allows us to
configure a series of tests and checks against our SQL queries that will allow
us to validate and pro [...]
+
+------- --------
+Report 2024-04-18
+Fix 2024-05-01
+Affects 1.9.0 and earlier releases
+------- --------
+
+We acknowledge Kabilan S - Security engineer at Zoho, for identifying the
issue and Aleksandar for resolving it.
+
+## Fixed in Apache Fineract 1.9.0
+
+### [CVE-2024-23539](https://www.cve.org/CVERecord?id=CVE-2024-23539):
vulnerable endpoints
+
+Under certain system configurations, the sqlSearch parameter for specific
endpoints was vulnerable to SQL injection attacks, potentially allowing
attackers to manipulate database queries.
+
+Fixed by <https://github.com/apache/fineract/pull/3621>.
+
+------- --------
+Report 2023-09-04
+Fix 2023-12-06
+Affects 1.8.4 and earlier releases
+------- --------
+
+We thank Yash Sancheti of GH Solutions Consultants for reporting this issue.
+
+### [CVE-2024-23538](https://www.cve.org/CVERecord?id=CVE-2024-23538): SQL
injection - sqlSearch
+
+Under certain system configurations, the sqlSearch parameter was vulnerable to
blind SQL injection attacks, potentially allowing attackers to manipulate
database queries.
+
+Fixed by <https://github.com/apache/fineract/pull/3626>.
+
+------- --------
+Report 2023-08-09
+Fix 2023-12-06
+Affects 1.8.4 and earlier releases
+------- --------
+
+We thank Majd Alasfar of ProgressSoft for reporting this issue.
+
+### [CVE-2024-23537](https://www.cve.org/CVERecord?id=CVE-2024-23537):
privilege escalation
+
+Under certain circumstances, this vulnerability allowed users, without
specific permissions, to escalate their privileges to any role, including super
user status. This flaw could enable users to gain control over user management.
+
+Fixed by <https://github.com/apache/fineract/pull/3626>.
+
+------- --------
+Report 2023-09-04
+Fix 2023-12-06
+Affects 1.8.4 and earlier releases
+------- --------
+
+We thank Yash Sancheti of GH Solutions Consultants for reporting this issue.
+
+## Fixed in Apache Fineract 1.8.4 and 1.7.3
+
+### [CVE-2023-25197](https://www.cve.org/CVERecord?id=CVE-2023-25197): SQL
injection
+
+Improper Neutralization of Special Elements used in an SQL Command ('SQL
Injection') vulnerability in Apache Software Foundation apache fineract.
+
+------- --------
+Report
+Fix
+Affects 1.8.3 and earlier releases
+------- --------
+
+We would like to thank Eugene Lim at Cyber Security Group (CSG) Government
Technology Agency GOVTECH.sg, for reporting this issue, and the Apache Security
team for their assistance. Thank you to Aleksandar Vidakovic for resolving this
CVE.
+
+### [CVE-2023-25196](https://www.cve.org/CVERecord?id=CVE-2023-25196): SQL
injection
+
+Improper Neutralization of Special Elements used in an SQL Command ('SQL
Injection') vulnerability in Apache Software Foundation Apache Fineract.
Authorized users may be able to change or add data in certain components.
+
+------- --------
+Report 2022-12-02
+Fix 2023-03-01
+Affects 1.8.3 and earlier releases
+------- --------
+
+We would like to thank Zhang Baocheng at Leng Jing Qi Cai Security Lab, for
reporting this issue, and the Apache Security team for their assistance. Thank
you to [email protected] for resolving this CVE.
+
+### [CVE-2023-25195](https://www.cve.org/CVERecord?id=CVE-2023-25195): SSRF
+
+Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation
Apache Fineract. Authorized users with limited permissions can gain access to
server and may be able to use server for any outbound traffic.
+
+------- --------
+Report 2022-12-06
+Fix 2023-03-01
+Affects 1.8.3 and earlier releases
+------- --------
+
+We would like to thank Huydoppa from GHTK, for reporting this issue, and the
Apache Security team for their assistance. Thank you to [email protected] for
resolving this CVE.
+
+## Fixed in Apache Fineract 1.8.1 and 1.7.1
+
+### [CVE-2022-44635](https://www.cve.org/CVERecord?id=CVE-2022-44635): file
upload vulnerability
+
+Apache Fineract allowed an authenticated user to perform remote code execution
due to a path traversal vulnerability in a file upload component of Apache
Fineract, allowing an attacker to run remote code. This issue affects Apache
Fineract version 1.8.0 and prior versions. We recommend users to upgrade to
1.8.1.
+
+Under typical deployments, remote code could be run.
+
+------- --------
+Report 2022-10-31
+Fix 2022-11-22
+Affects 1.8.0 and earlier releases
+------- --------
+
+We would like to thank Sapra co-captain of the Super Guesser CTF team &
Security researcher at CRED, for reporting this issue, and the Apache Security
team for their assistance. We give kudos and karma to Aleksandar Vidakovic for
resolving this CVE.
+
+## Fixed in Apache Fineract 1.5.0
+
+### [CVE-2020-17514](https://www.cve.org/CVERecord?id=CVE-2020-17514):
disabled hostname verification for HTTPS
+
+Apache Fineract disables HTTPS hostname verification in `ProcessorHelper` in
the `configureClient` method.
+
+Under typical deployments, a man in the middle attack could be successful.
+
+------- --------
+Report 2020-10-15
+Fix 2020-10-19
+Affects 1.4.0 and earlier releases
+------- --------
+
+We would like to thank [Simon Gerst](https://github.com/intrigus-lgtm) for
reporting this issue, and the Apache Security team for their assistance.
+
+## Fixed in Apache Fineract 1.4.0
+
+### [CVE-2018-20243](https://www.cve.org/CVERecord?id=CVE-2018-20243):
unencrypted username and password in URL
+
+The implementation of POST with the username and password in the URL
parameters exposed the credentials. More information is available in Fineract
JIRA issues 726 and 629.
+
+------- --------
+Report 2018-12-31
+Fix 2020-01-01
+Affects 1.3.0 and earlier releases
+------- --------
+
+We would like to thank [Simon Gerst](https://github.com/intrigus-lgtm) for
reporting this issue, and the Apache Security team for their assistance.
+
+## Fixed in Apache Fineract 1.3.0
+
+### [CVE-2018-11801](https://www.cve.org/CVERecord?id=CVE-2018-11801): SQL
Injection - m_center
+
+SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers
to execute arbitrary SQL commands via a query on a m_center data related table.
+
+------- --------
+Report 2018-08-29
+Fix 2018-12-01
+Affects 1.2.0 and earlier releases
+------- --------
+
+We would like to thank Niels Heinen from Google for reporting this issue, and
the Apache Security team for their assistance.
+
+### [CVE-2018-11800](https://www.cve.org/CVERecord?id=CVE-2018-11800): SQL
Injection - GroupSummaryCounts
+
+SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers
to execute arbitrary SQL commands via a query on the GroupSummaryCounts related
table.
+
+------- --------
+Report 2018-08-29
+Fix 2018-12-01
+Affects 1.2.0 and earlier releases
+------- --------
+
+We would like to thank Niels Heinen from Google for reporting this issue, and
the Apache Security team for their assistance.
+
+### [CVE-2016-4977](https://www.cve.org/CVERecord?id=CVE-2016-4977): RCE as a
result of CVE in upstream dependency
+
+A known vulnerability in spring security upstream dependencies allowed
malicious users to trigger remote code execution.
+
+------- --------
+Report 2018-12-17
+Fix 2019-02-01
+Affects 1.2.0 and earlier releases
+------- --------
+
+We would like to thank Roberto ([email protected]) for reporting this
issue, and the Apache Security team for their assistance.
+
+## Fixed in Apache Fineract 1.1.0
+
+### [CVE-2018-1292](https://www.cve.org/CVERecord?id=CVE-2018-1292): SQL
Injection - reportName
+
+Within the 'getReportType' method, a hacker could inject SQL to read/update
data for which he doesn't have authorization for by way of the 'reportName'
parameter.
+
+------- --------
+Report 2018-01-23
+Fix 2018-04-19
+Affects 1.0.0 and earlier releases
+------- --------
+
+We would like to thank 圆珠笔 ([email protected]) and the Apache Security team for
reporting this issue.
+
+### [CVE-2018-1291](https://www.cve.org/CVERecord?id=CVE-2018-1291): SQL
Injection - order
+
+Apache Fineract exposes different REST end points to query domain specific
entities with a Query Parameter 'orderBy' which are appended directly with SQL
statements. A hacker/user can inject/draft the 'orderBy' query parameter by way
of the "order" param in such a way to to read/update the data for which he
doesn't have authorization.
+
+------- --------
+Report 2018-01-23
+Fix 2018-04-19
+Affects 1.0.0 and earlier releases
+------- --------
+
+We would like to thank 圆珠笔 ([email protected]) and the Apache Security team for
reporting this issue.
+
+### [CVE-2018-1290](https://www.cve.org/CVERecord?id=CVE-2018-1290): SQL
Injection - single quotation escape
+
+Using a single quotation escape with two continuous SQL parameters can cause a
SQL injection. This could be done in Methods like retrieveAuditEntries of
AuditsApiResource Class retrieveCommands of MakercheckersApiResource Class
+
+------- --------
+Report 2018-01-23
+Fix 2018-04-19
+Affects 1.0.0 and earlier releases
+------- --------
+
+We would like to thank 圆珠笔 ([email protected]) and the Apache Security team for
reporting this issue.
+
+### [CVE-2018-1289](https://www.cve.org/CVERecord?id=CVE-2018-1289): SQL
Injection - orderBy and sortOrder
+
+Apache Fineract exposes different REST end points to query domain specific
entities with a Query Parameter 'orderBy' and 'sortOrder' which are appended
directly with SQL statements. A hacker/user can inject/draft the 'orderBy' and
'sortOrder' query parameter in such a way to read/update the data for which he
doesn't have authorization.
+
+------- --------
+Report 2018-01-18
+Fix 2018-04-19
+Affects 1.0.0 and earlier releases
+------- --------
+
+We would like to thank 圆珠笔 ([email protected]) and the Apache Security team for
reporting this issue.
+
+## Fixed in Apache Fineract 1.0.0
+
+### [CVE-2017-5663](https://www.cve.org/CVERecord?id=CVE-2017-5663): SQL
Injection - sqlSearch
+
+An authenticated user with client/loan/center/staff/group read permissions is
able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on
a number of endpoints is not sanitized and appended directly to the query. List
of vulnerable endpoints: /staff, /clients, /loans, /centers, /groups.
+
+------- --------
+Report 2017-04-02
+Fix 2017-12-13
+Affects 0.6.0-incubating and earlier releases
+------- --------
+
+We would like to thank Alex Ivanov and the Apache Security team for reporting
this issue.
+
+## Notable Fineract security policy updates
+
+- January 15, 2025: The project now determines on a case by case basis whether
a CVE fix will be back-ported to any prior release. The default is that all
prior releases are immediately determined as EOL (end of life) when a new
release happens.
+- November 29, 2022: In order to ensure that users are given warning of
critical issues, the Apache Fineract project may use its relationship with the
independent Mifos Initiative to ensure that users of the Fineract backend and
Mifos front end UI are informed of such vulnerabilities and are able to assist
in testing and validating patches.
+
+## Editing this document
+
+The [source for this
document](https://github.com/apache/fineract-site/blob/asf-site/src/security/security.md)
is [plain text with minimal Pandoc-flavor
Markdown](https://pandoc.org/MANUAL.html#pandocs-markdown).
+It is [rendered as HTML with
Pandoc](https://github.com/apache/fineract-site/blob/asf-site/src/security/Readme.md).
+
+Keep this document simple and consistent.
+If you change the structure for one section, do so throughout the document.
+
+Major headings are releases in descending order (most recent first). Minor
headings are CVE ids, also in descending order. Always use `www.cve.org` for
canonical CVE links. Date format for "Report" and "Fix" fields is `YYYY-MM-DD`.
