ERPNext and Frappe SQL Injection Vulnerability in Report View API

Authenticated SQL injection vulnerabilities have been identified in ERPNext version 15.67.0 and Frappe Framework version 15.72.4. These vulnerabilities exist in the 'frappe.desk.reportview.get' API endpoint, specifically through the 'order_by' and 'group_by' parameters. An authenticated user with basic report access can exploit these vulnerabilities to inject arbitrary SQL, potentially leading to data exfiltration, database enumeration, and privilege escalation within the application.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, with the potential to extract sensitive data, manipulate database records, and escalate privileges within the ERPNext or Frappe application.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the '/api/method/frappe.desk.reportview.get' endpoint. The request must include a crafted 'order_by' or 'group_by' parameter payload that exploits the SQL injection vulnerability. Once the payload is executed, the response will reveal a database error containing the injected output, confirming the successful exploitation of the vulnerability.

Remediation

Users are advised to upgrade to the latest version of ERPNext or Frappe Framework once a patch is available. In the meantime, restrict access to the vulnerable API endpoint based on user roles and trust levels.