An Chu

**Name of the Vulnerable Software and Affected Versions** Frappe ERPNext versions through 15.89.0 **Description** A Server-Side Template Injection (SSTI) issue exists in the `get dunning letter text` method. The function renders Jinja2 templates (`)body text`) using `frappe.render template()` with a user-supplied context (`)doc`). Despite the use of a SandboxedEnvironment, dangerous globals like `frappe.db.sql` remain accessible through `get safe globals()`. An authenticated attacker who can configure Dunning Type and its child table Dunning Letter Text can inject Jinja expressions, potentially leading to server-side code execution in a limited context and information disclosure from the database. **Recommendations** Versions prior to 15.89.0 should be updated.

**Name of the Vulnerable Software and Affected Versions** Frappe ERPNext versions through 15.89.0 **Description** A Server-Side Template Injection (SSTI) issue exists in the `get contract template` function. This function renders Jinja2 templates, specifically the `contract terms` field, using `frappe.render template()` with a user-supplied context (`doc`). Despite the use of a SandboxedEnvironment, dangerous globals like `frappe.db.sql` remain accessible through `get safe globals()`. An authenticated attacker who can create or modify a Contract Template can inject Jinja expressions into the `contract terms` field, potentially leading to server-side code execution within a limited context and the leakage of database information. **Recommendations** Versions prior to 15.89.0 should be updated.

**Name of the Vulnerable Software and Affected Versions** Frappe ERPNext versions through 15.89.0 **Description** An SSTI (Server-Side Template Injection) vulnerability exists in the `get terms and conditions` method. The function renders attacker-controlled Jinja2 templates (`terms`) using `frappe.render template()` with a user-supplied context (`doc`). While a custom SandboxedEnvironment is used, dangerous globals like `frappe.db.sql` remain accessible through `get safe globals()`. An authenticated attacker who can create or modify Terms and Conditions documents can inject arbitrary Jinja expressions into the `terms` field, leading to server-side code execution within a limited context. This can allow for the leakage of database information. **Recommendations** Versions prior to 15.89.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.