Frappe ERPNext Server-Side Template Injection Vulnerability in Address Display Method

A server-side template injection (SSTI) vulnerability has been identified in Frappe ERPNext versions through 15.89.0. The issue arises in the 'get_address_display' method, which uses 'frappe.render_template()' to render address templates based on the 'address_dict' parameter. This parameter can be a dictionary or a string referencing an Address document. Despite ERPNext's implementation of a custom Jinja2 SandboxedEnvironment, certain dangerous functions, including 'frappe.db.sql', can still be accessed through 'get_safe_globals()'. An authenticated attacker with the ability to create or modify Address Templates can inject arbitrary Jinja expressions into the template field. By crafting an Address document that matches a specific country and then invoking the 'get_address_display' API with the corresponding address name, the injected template is executed using data controlled by the attacker. This exploitation can result in unauthorized server-side code execution or the disclosure of sensitive database information.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server side or unauthorized access to sensitive database information, depending on the injected Jinja expression.

Reproduction

To reproduce this vulnerability, first create a new Address Template and inject a Jinja payload into the template field. Save the template, then create a new Address document that matches the template's country. Finally, call the 'get_address_display' API with the name of the Address document. The injected payload will be executed and the results returned in the response.