Primary

Context

Frappe ERPNext SQL Injection Vulnerability in Request for Quotation Module

Vulnerability

Patched

A SQL injection vulnerability has been identified in Frappe ERPNext version 15.57.5, specifically within the 'get_rfq_containing_supplier()' function of the Request for Quotation module. This vulnerability allows attackers to inject SQL queries through the 'txt' parameter, potentially leading to unauthorized data extraction from the database.

Impact

Exploitation of this vulnerability allows for error-based SQL injection, enabling attackers to manipulate SQL queries and extract sensitive information from the database.

Reproduction

The vulnerability can be reproduced by sending a request to the 'get_rfq_containing_supplier()' function with a crafted 'txt' parameter that includes SQL injection payloads. The function will then execute the injected SQL, allowing the attacker to extract database information.

Remediation

Users are advised to update to the latest version of Frappe ERPNext, where this vulnerability has been patched.

Added: Oct 1, 2025, 3:22 PM

Updated: Oct 1, 2025, 3:22 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.7

remediation

7.7

relevance

0.6

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.7

remediation

7.7

relevance

0.6

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Frappe ERPNext SQL Injection Vulnerability in Request for Quotation Module

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Frappe

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating