Frappe ERPNext Server-Side Template Injection Vulnerability

A Server-Side Template Injection (SSTI) vulnerability has been identified in Frappe ERPNext versions through 15.89.0. The issue arises in the Print Format rendering process, where the API 'frappe.www.printview.get_html_and_style()' renders the 'html' field of a Print Format document using 'frappe.render_template(template, doc)'. Despite being wrapped in a SandboxedEnvironment, ERPNext exposes sensitive functions like 'frappe.db.sql' through 'get_safe_globals()'. An authenticated attacker with the ability to create or modify Print Formats can inject arbitrary Jinja expressions into the 'html' field. Once the malicious Print Format is saved, the attacker can invoke 'get_html_and_style()' with a target document to execute the injected payload, leading to unauthorized disclosure of database information such as version details, schema information, or other sensitive data, depending on the nature of the injection.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary SQL queries via server-side template injection, resulting in the disclosure of sensitive database information.

Reproduction

To reproduce this vulnerability, an authenticated user with permission to create or modify Print Formats should first inject a Jinja2 payload into the 'html' field of a new Print Format document and save it. After the Print Format is saved, the user can trigger the SSTI by calling the 'get_html_and_style()' API with a document that references the malicious Print Format. This will execute the injected payload and leak database information through the exposed 'frappe.db.sql' global.