Frappe ERPNext SQL Injection Vulnerability in Stock Balance Function

A SQL injection vulnerability has been identified in Frappe ERPNext version 15.57.5. The issue arises in the 'get_stock_balance()' function located in 'erpnext/stock/utils.py'. The vulnerability allows attackers to inject SQL queries through the 'inventory_dimensions_dict' parameter, potentially leading to the extraction of sensitive information from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries to extract, modify, or delete database information.

Reproduction

The vulnerability can be reproduced by calling the 'get_stock_balance()' function with a crafted 'inventory_dimensions_dict' parameter that includes malicious SQL injection payloads. This can be done through the ERPNext API by sending a POST request with the injected SQL in the 'inventory_dimensions_dict' parameter.

Remediation

Users are advised to update to the latest version of Frappe ERPNext, where this vulnerability has been patched.