Frappe SQL Injection Vulnerability in Dashboard Chart Permission Query

A SQL injection vulnerability has been identified in the Frappe web application framework, specifically in versions prior to 15.74.2 and 14.96.15. This vulnerability allows attackers to execute malicious SQL queries through specially crafted requests, potentially leading to unauthorized access to sensitive information. The issue arises from improper validation in the permission query for dashboard charts, where certain chart types were not adequately checked. Notably, this vulnerability bypasses a previous patch intended to address a related SQL injection issue (CVE-2025-52895).

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries and access or modify sensitive information.

Reproduction

The vulnerability can be reproduced by sending requests that exploit the permission query for dashboard charts. This can be done by crafting SQL injection payloads that take advantage of the improper validation of chart types in the query. The injection point is in the 'Group By' chart type permission check, which, prior to the patch, did not properly validate or sanitize input, allowing for SQL injection attacks.

Remediation

Users are advised to upgrade to Frappe versions 15.74.2 or 14.96.15, where this vulnerability has been patched.