Wtfbrb

**Name of the Vulnerable Software and Affected Versions** ERPNext versions 10.x through 11.0.3-beta.29 **Description** A SQL injection issue was discovered that allows an attacker to construct SQL queries to return any columns from any tables in the database. This issue is related to the `/api/resource/Item?fields=` API endpoint, `frappe.get list`, and `frappe.call()`. The attack is only available to a logged-in user, but many sites allow account creation via the web, and no special privileges are needed to conduct the attack. **Recommendations** For ERPNext versions 10.x through 11.0.3-beta.29, consider restricting access to the `/api/resource/Item?fields=` API endpoint until a patch is available. As a temporary workaround, avoid using the `frappe.get list` and `frappe.call()` functions with untrusted input. At the moment, there is no information about a newer version that contains a fix for this vulnerability.