Structured Query Language Injection in frappe.desk.reportview.get_list Endpoint in Frappe Framework  – Full Disclosure

Posted on By Joe-W No Comments on Structured Query Language Injection in frappe.desk.reportview.get_list Endpoint in Frappe Framework  – Full Disclosure
Alert Feeds

 

Posted by Ron E on May 27


An authenticated SQL injection vulnerability exists in the frappe.desk.reportview.get_list API of the Frappe Framework,
affecting versions v15.56.1. The vulnerability stems from improper sanitization of the fields[] parameter, which allows
low-privileged users to inject arbitrary SQL expressions directly into the SELECT clause.

Sample Structured Query Language Injection:

Request:

GET…
 – Read More  – Full Disclosure 

You may also like

Alert Feeds
SQL Injection in Admin Functionality – dolphin.prov7.4.2  – Full Disclosure
March 25, 2025
Alert Feeds
Microsoft Windows .XRM-MS File / NTLM Information Disclosure Spoofing  – Full Disclosure
May 1, 2025
Alert Feeds
APPLE-SA-03-11-2025-4 visionOS 2.3.2  – Full Disclosure
March 20, 2025
Alert Feeds
APPLE-SA-03-31-2025-5 iOS 16.7.11 and iPadOS 16.7.11  – Full Disclosure
April 3, 2025

Leave a Reply

AttackFeed by Joe Wagner
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.