SQL Injection Vulnerability in Frappe ERPNext by Frappe Technologies
CVE-2025-52042
8.2HIGH
What is CVE-2025-52042?
In Frappe ERPNext version 15.57.5, the function get_rfq_containing_supplier() located at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is susceptible to SQL Injection vulnerabilities. This flaw enables attackers to manipulate SQL queries through the 'txt' parameter, potentially granting unauthorized access to sensitive database information. Protecting against such vulnerabilities is crucial for maintaining database integrity and ensuring user data security.
References
CVSS V3.1
Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved