Primary

Context

Frappe ERPNext SQL Injection Vulnerability in Chart of Accounts Importer

Vulnerability

Patched

A SQL injection vulnerability has been identified in Frappe ERPNext version 15.57.5, specifically within the 'import_coa()' function of the Chart of Accounts Importer module. This vulnerability allows attackers to inject SQL queries through the 'company' parameter, potentially leading to the extraction of sensitive information from the database.

Impact

Exploitation of this vulnerability allows for error-based SQL injection, enabling attackers to manipulate SQL queries and access or modify database information.

Reproduction

The vulnerability can be reproduced by sending a request to the 'import_coa()' function with a crafted 'company' parameter that includes an injected SQL query. This can be done through the ERPNext API or by directly calling the function in a Python environment where Frappe ERPNext is running.

Remediation

Users are advised to update to the latest version of Frappe ERPNext, where this vulnerability has been patched.

Added: Sep 30, 2025, 2:23 PM

Updated: Sep 30, 2025, 8:31 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.7

remediation

7.7

relevance

0.6

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.7

remediation

7.7

relevance

0.6

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Frappe ERPNext SQL Injection Vulnerability in Chart of Accounts Importer

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Frappe

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating