Frappe ERPNext SQL Injection Vulnerability in Material Request Function

A SQL injection vulnerability has been identified in Frappe ERPNext version 15.57.5. The issue arises in the 'get_material_requests_based_on_supplier' function within 'erpnext/stock/doctype/material_request/material_request.py'. This vulnerability allows attackers to inject SQL queries through the 'txt' parameter, potentially leading to the extraction of sensitive information from the database.

Impact

Exploitation of this vulnerability allows for error-based SQL injection, enabling attackers to manipulate SQL queries and access or modify database information.

Reproduction

The vulnerability can be reproduced by sending a request to the 'get_material_requests_based_on_supplier' function with a crafted 'txt' parameter that includes SQL injection payloads. The function will process the input without proper sanitization, allowing the injected SQL to be executed against the database.

Remediation

Users are advised to update to the latest version of Frappe ERPNext, where this vulnerability has been patched.