A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Erpnext | Frappe | 10.0.0 (including) | 10.1.76 (including) |
Erpnext | Frappe | 11.0.0 (including) | 11.0.3 (excluding) |
Erpnext | Frappe | 11.0.3-beta10 (including) | 11.0.3-beta10 (including) |
Erpnext | Frappe | 11.0.3-beta11 (including) | 11.0.3-beta11 (including) |
Erpnext | Frappe | 11.0.3-beta12 (including) | 11.0.3-beta12 (including) |
Erpnext | Frappe | 11.0.3-beta13 (including) | 11.0.3-beta13 (including) |
Erpnext | Frappe | 11.0.3-beta14 (including) | 11.0.3-beta14 (including) |
Erpnext | Frappe | 11.0.3-beta15 (including) | 11.0.3-beta15 (including) |
Erpnext | Frappe | 11.0.3-beta16 (including) | 11.0.3-beta16 (including) |
Erpnext | Frappe | 11.0.3-beta17 (including) | 11.0.3-beta17 (including) |
Erpnext | Frappe | 11.0.3-beta18 (including) | 11.0.3-beta18 (including) |
Erpnext | Frappe | 11.0.3-beta19 (including) | 11.0.3-beta19 (including) |
Erpnext | Frappe | 11.0.3-beta2 (including) | 11.0.3-beta2 (including) |
Erpnext | Frappe | 11.0.3-beta20 (including) | 11.0.3-beta20 (including) |
Erpnext | Frappe | 11.0.3-beta21 (including) | 11.0.3-beta21 (including) |
Erpnext | Frappe | 11.0.3-beta22 (including) | 11.0.3-beta22 (including) |
Erpnext | Frappe | 11.0.3-beta23 (including) | 11.0.3-beta23 (including) |
Erpnext | Frappe | 11.0.3-beta24 (including) | 11.0.3-beta24 (including) |
Erpnext | Frappe | 11.0.3-beta25 (including) | 11.0.3-beta25 (including) |
Erpnext | Frappe | 11.0.3-beta26 (including) | 11.0.3-beta26 (including) |
Erpnext | Frappe | 11.0.3-beta27 (including) | 11.0.3-beta27 (including) |
Erpnext | Frappe | 11.0.3-beta28 (including) | 11.0.3-beta28 (including) |
Erpnext | Frappe | 11.0.3-beta29 (including) | 11.0.3-beta29 (including) |
Erpnext | Frappe | 11.0.3-beta3 (including) | 11.0.3-beta3 (including) |
Erpnext | Frappe | 11.0.3-beta4 (including) | 11.0.3-beta4 (including) |
Erpnext | Frappe | 11.0.3-beta5 (including) | 11.0.3-beta5 (including) |
Erpnext | Frappe | 11.0.3-beta6 (including) | 11.0.3-beta6 (including) |
Erpnext | Frappe | 11.0.3-beta7 (including) | 11.0.3-beta7 (including) |
Erpnext | Frappe | 11.0.3-beta8 (including) | 11.0.3-beta8 (including) |
Erpnext | Frappe | 11.0.3-beta9 (including) | 11.0.3-beta9 (including) |