Frappe ERPNext SQL Injection Vulnerability in Loyalty Program Details Function

A SQL injection vulnerability has been identified in Frappe ERPNext version 15.57.5. The issue arises in the 'get_loyalty_program_details_with_points()' function within 'erpnext/accounts/doctype/loyalty_program/loyalty_program.py'. The vulnerability allows attackers to inject SQL queries through the 'expiry_date' parameter, potentially leading to unauthorized data extraction from the database.

Impact

Exploitation of this vulnerability allows for error-based SQL injection, where an attacker can manipulate SQL queries to extract information from the database. During testing, the vulnerability was successfully exploited to retrieve database information such as the version.

Reproduction

The vulnerability can be reproduced by sending a request to the 'get_loyalty_program_details_with_points()' function with a crafted 'expiry_date' parameter that includes an injected SQL query. This can be done through the ERPNext API.

Remediation

Users are advised to update to the latest version of Frappe ERPNext, where this vulnerability has been patched.