Frappe ERPNext Server-Side Template Injection Vulnerability

A server-side template injection (SSTI) vulnerability has been identified in Frappe ERPNext versions through 15.89.0. The issue arises in the 'get_dunning_letter_text' method, which renders Jinja2 templates controlled by the attacker. This is done using 'frappe.render_template()' with a user-supplied context, 'doc'. Despite Frappe's use of a custom SandboxedEnvironment, several dangerous globals, including 'frappe.db.sql', remain accessible via 'get_safe_globals()'. An authenticated attacker with the ability to configure Dunning Type and its associated Dunning Letter Text can inject arbitrary Jinja expressions. This exploitation leads to server-side code execution in a restricted but still unsafe context, with the potential to leak sensitive database information.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary Jinja2 expressions, leading to server-side code execution and unauthorized access to sensitive database information.

Reproduction

To reproduce this vulnerability, an authenticated user must navigate to the Dunning Type settings in ERPNext. Within the Dunning Letter Text child table, the user can inject a Jinja2 payload into the Body Text field. After saving the document, the injected payload is executed when the Dunning form is processed, demonstrating the successful exploitation of the SSTI vulnerability. Alternatively, the vulnerability can be triggered by directly calling the 'get_dunning_letter_text' method via the API, with the injected payload executed and the output returned in the response.