Frappe ERPNext SQL Injection Vulnerability in Timesheet Module

A SQL injection vulnerability has been identified in Frappe ERPNext version 15.57.5, specifically within the timesheet module. The issue arises in the function 'get_timesheet_detail_rate()' located in 'erpnext/projects/doctype/timesheet/timesheet.py'. This vulnerability allows attackers to inject SQL queries through the 'timelog' parameter, potentially leading to the extraction of sensitive information from the database.

Impact

Exploitation of this vulnerability allows for error-based SQL injection, where an attacker can manipulate SQL queries to extract information from the database. This could include sensitive data such as user information, application data, or other database contents.

Reproduction

To reproduce this vulnerability, send a request to the ERPNext API method 'frappe.realtime.get_user_info' with an injected SQL payload in the 'timelog' parameter of the 'get_timesheet_detail_rate()' function. The injection can be done using an f-string or other unsafe string concatenation methods that bypass the application's SQL query sanitization.

Remediation

Users are advised to update to the latest version of Frappe ERPNext, where this vulnerability has been patched. The Frappe Development Team has acknowledged this vulnerability and released a fix.