This article describes a SQL injection vulnerability in the Frappe Frameworkβs API, affecting version v15.56.1, which allows low-privileged users to inject malicious SQL commands. The vulnerability arises from insufficient sanitization of user input, enabling attackers to execute arbitrary SQL statements and exploit time-based attacks. #FrappeFramework #SQLInjection
Keypoints
- An SQL injection vulnerability exists in the frappe.desk.reportview.get_list API of Frappe Framework v15.56.1.
- The flaw results from inadequate sanitization of the βfields[]β parameter, allowing arbitrary SQL injection.
- Attackers can utilize this vulnerability to perform time-based SQL injection attacks, such as sleep commands.
- Exploiting this flaw can lead to unauthorized database access and potential data compromise.
- Updating to a patched version of Frappe Framework is necessary to mitigate this security risk.