Primary

Context

Frappe ERPNext SQL Injection Vulnerability in Income Account Query

Vulnerability

Patched

A SQL injection vulnerability has been identified in Frappe ERPNext version 15.57.5. The issue arises in the 'get_income_account()' function within 'erpnext/controllers/queries.py'. The vulnerability allows attackers to inject SQL queries through the 'filters.disabled' parameter, potentially leading to unauthorized data extraction from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries to extract, modify, or delete database information.

Reproduction

To reproduce this vulnerability, send a request to the 'get_income_account()' function with a crafted 'filters.disabled' parameter that includes SQL injection payloads. The injected SQL will be executed by the application, allowing for data extraction from the database.

Remediation

Users are advised to update to the latest version of Frappe ERPNext, where this vulnerability has been patched.

Added: Sep 30, 2025, 2:22 PM

Updated: Sep 30, 2025, 8:30 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.7

remediation

7.7

relevance

0.6

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.7

remediation

7.7

relevance

0.6

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Frappe ERPNext SQL Injection Vulnerability in Income Account Query

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Frappe

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating