Frappe ERPNext Server-Side Template Injection Vulnerability

A server-side template injection (SSTI) vulnerability has been identified in Frappe ERPNext versions through 15.89.0. The issue arises in the 'get_terms_and_conditions' method, where user-controlled Jinja2 templates are rendered using 'frappe.render_template()' with a context that can be manipulated by the user. Despite Frappe's use of a custom SandboxedEnvironment, several dangerous globals, including 'frappe.db.sql', are accessible via 'get_safe_globals()', allowing for potential exploitation. An authenticated attacker with the ability to create or modify Terms and Conditions documents can inject arbitrary Jinja expressions into the terms field, leading to unauthorized code execution on the server side within a limited but still risky context. This vulnerability could also be exploited to extract sensitive information from the database.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server side, with the potential to leak sensitive database information.

Reproduction

To reproduce this vulnerability, an authenticated user must create or modify a 'Terms and Conditions' document in ERPNext. Inject a Jinja2 payload into the 'Terms' field and save the document. The payload will be stored but not executed immediately. The vulnerability can then be triggered by calling the 'get_terms_and_conditions' method directly through the API, which will render and execute the injected payload, returning the evaluated output in the response.