Frappe ERPNext SQL Injection Vulnerability in Payment Entry Module

A SQL injection vulnerability has been identified in Frappe ERPNext versions through 15.89.0. The issue arises in the 'get_outstanding_reference_documents()' function within 'erpnext/accounts/doctype/payment_entry/payment_entry.py'. This vulnerability allows authenticated attackers to inject SQL payloads via the 'to_posting_date' and 'from_posting_date' parameters, which are directly inserted into the SQL query without proper sanitization or parameter binding. As a result, attackers can extract arbitrary data from the database, potentially including sensitive information such as financial records and user data.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL queries, leading to unauthorized access and disclosure of sensitive database information. This could include financial data and personal user information, with the potential for further compromising the ERP system.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/method/erpnext.accounts.doctype.payment_entry.payment_entry.get_outstanding_reference_documents' endpoint. Include a JSON object in the 'args' parameter that contains user-controlled 'from_posting_date' and 'to_posting_date' values. The injected SQL payload should be crafted to extract database information, such as the MySQL version.