Frappe ERPNext SQL Injection Vulnerability in Stock Reconciliation Module

A SQL injection vulnerability has been identified in Frappe ERPNext version 15.57.5. The issue arises in the 'get_stock_balance_for()' function within the 'stock_reconciliation.py' file. The vulnerability allows attackers to inject SQL queries through the 'inventory_dimensions_dict' parameter, potentially leading to unauthorized data extraction from the database.

Impact

Exploitation of this vulnerability allows for error-based SQL injection, where an attacker can manipulate SQL queries to extract information from the database. In this case, the vulnerability was exploited to retrieve database version information.

Reproduction

The vulnerability can be reproduced by sending a request to the ERPNext API method 'frappe.realtime.get_user_info' with an injected SQL payload in the 'inventory_dimensions_dict' parameter of the 'get_stock_balance_for()' function. This can be done using a tool like Burp Suite to intercept and modify the request payload. Once the SQL injection is successful, the injected payload can be used to extract data from the database, such as through an error-based SQL injection technique.

Remediation

Users are advised to update to the latest version of Frappe ERPNext, where this vulnerability has been patched.