Frappe HelpDesk SQL Injection Vulnerability in Dashboard API

A SQL injection vulnerability has been identified in Frappe HelpDesk version 1.14.0. The issue arises in the dashboard's 'get_dashboard_data' endpoint, where user-controlled parameters are improperly concatenated into dynamic SQL statements without proper parameter binding. This flaw allows authenticated users with Agent Manager privileges or higher to inject SQL expressions, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL commands, appended to the original SQL query of the vulnerable endpoint. This could result in unauthorized data access or manipulation, such as extracting sensitive information like password reset tokens, which could be used for account takeover.

Reproduction

To reproduce this vulnerability, log in as an authenticated user with Agent Manager or higher privileges. Then, send a POST request to the '/api/method/helpdesk.api.dashboard.get_dashboard_data' endpoint. Include a crafted 'filters.team' parameter that injects SQL payloads, such as time-based delay commands or error-based extraction techniques, to exploit the SQL injection vulnerability. The injection can be verified by extracting the 'reset_password_key' from the 'tabUser' table.

Remediation

Users can update to Frappe HelpDesk version 1.17.4, where this vulnerability has been patched.