Haongo

**Name of the Vulnerable Software and Affected Versions** Frappe ERPNext version 15.57.5 **Description** The `get rfq containing supplier()` function located at `erpnext/buying/doctype/request for quotation/request for quotation.py` is susceptible to SQL Injection. An attacker can inject a SQL query through the `txt` parameter, potentially allowing extraction of all information from databases. **Recommendations** Apply a fix that properly sanitizes the `txt` parameter used in the `get rfq containing supplier()` function.

**Name of the Vulnerable Software and Affected Versions** Frappe ERPNext version 15.57.5 **Description** The `get material requests based on supplier()` function located at `erpnext/stock/doctype/material request/material request.py` is susceptible to SQL Injection. An attacker can inject a SQL query into the `txt` parameter, potentially allowing extraction of all information from databases. **Recommendations** Apply a fix to the `get material requests based on supplier()` function at `erpnext/stock/doctype/material request/material request.py` to prevent SQL Injection attacks.

**Name of the Vulnerable Software and Affected Versions** Frappe ERPNext version 15.57.5 **Description** The function `get blanket orders()` at `erpnext/controllers/queries.py` is susceptible to SQL Injection. An attacker can potentially extract information from databases by injecting a SQL query into the `blanket order type` parameter. **Recommendations** Apply a fix for the SQL Injection issue in the `get blanket orders()` function at `erpnext/controllers/queries.py` in version 15.57.5.

**Name of the Vulnerable Software and Affected Versions** Frappe ERPNext version 15.57.5 **Description** The `get stock balance for()` function located at `erpnext/stock/doctype/stock reconciliation/stock reconciliation.py` is susceptible to SQL Injection. An attacker can inject a SQL query through the `inventory dimensions dict` parameter, potentially allowing extraction of all information from databases. **Recommendations** Apply a fix to the `get stock balance for()` function at `erpnext/stock/doctype/stock reconciliation/stock reconciliation.py` to prevent SQL Injection through the `inventory dimensions dict` parameter.

**Name of the Vulnerable Software and Affected Versions** Frappe ERPNext version 15.57.5 **Description** The `import coa()` function located at `erpnext/accounts/doctype/chart of accounts importer/chart of accounts importer.py` is susceptible to SQL injection. An attacker can inject a SQL query through the `company` parameter, potentially allowing extraction of all data from databases. The vulnerable function is `import coa()`. **Recommendations** Apply a fix for Frappe ERPNext version 15.57.5 to address the SQL injection issue in the `import coa()` function.

**Name of the Vulnerable Software and Affected Versions** Frappe ErpNext version 15.57.5 **Description** The `get timesheet detail rate()` function located at `erpnext/projects/doctype/timesheet/timesheet.py` is susceptible to SQL Injection. This allows an attacker to extract information from databases by injecting SQL queries through the `timelog` parameter. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `get timesheet detail rate()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Frappe ERPNext version 15.57.5 **Description** The `get loyalty program details with points()` function located at `erpnext/accounts/doctype/loyalty program/loyalty program.py` is susceptible to SQL Injection. An attacker can inject a SQL query into the `expiry date` parameter, potentially allowing extraction of all information from databases. **Recommendations** Apply a fix to the `get loyalty program details with points()` function at `erpnext/accounts/doctype/loyalty program/loyalty program.py` to prevent SQL Injection attacks.

**Name of the Vulnerable Software and Affected Versions** Frappe ERPNext version 15.57.5 **Description** Frappe ERPNext version 15.57.5 contains a SQL injection issue in the `get stock balance()` function located at `erpnext/stock/utils.py`. An attacker can inject a SQL query into the `inventory dimensions dict` parameter, potentially allowing them to extract information from databases. **Recommendations** Update to version 15.57.6 or later.