Frappe ERPNext SQL Injection Vulnerability in Payment Entry Module

A SQL injection vulnerability has been identified in Frappe ERPNext versions through 15.89.0. The issue arises in the 'get_outstanding_reference_documents()' function within the 'erpnext.accounts.doctype.payment_entry.payment_entry' module. The vulnerability allows authenticated attackers to inject SQL payloads via the 'from_posting_date' and 'to_posting_date' parameters. These parameters are directly interpolated into a SQL query without proper sanitization or parameter binding, enabling the extraction of arbitrary data from the database, including sensitive financial and user-related information.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary SQL queries, potentially leading to unauthorized disclosure of sensitive database contents such as financial records and user data. This could result in further compromise of the ERP system.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/method/erpnext.accounts.doctype.payment_entry.payment_entry.get_outstanding_reference_documents' endpoint. Include a JSON payload in the 'args' parameter that contains user-controlled date values for 'from_posting_date' and 'to_posting_date'. The injected SQL payload should be crafted to extract database information, such as the MySQL version.