9.5.2

R3zk0n ยท October 2, 2025

Exploitation
Contents

    9.5.2

    Discover another location where ERPNext uses the render function to execute user-provided code.

    Email List in notify_customers()

    @frappe.whitelist()
def notify_customers(delivery_trip):
	delivery_trip = frappe.get_doc("Delivery Trip", delivery_trip)

	context = delivery_trip.as_dict()

	if delivery_trip.driver:
		context.update(frappe.db.get_value("Driver", delivery_trip.driver, "cell_number", as_dict=1))

	email_recipients = []

	for stop in delivery_trip.delivery_stops:
		contact_info = frappe.db.get_value("Contact", stop.contact,
											["first_name", "last_name", "email_id", "gender"], as_dict=1)

		if contact_info and contact_info.email_id:
			context.update(stop.as_dict())
			context.update(contact_info)

			dispatch_template_name = frappe.db.get_single_value("Delivery Settings", "dispatch_template")
			dispatch_template = frappe.get_doc("Email Template", dispatch_template_name)

			frappe.sendmail(recipients=contact_info.email_id,
							subject=dispatch_template.subject,
							message=frappe.render_template(dispatch_template.response, context),
							attachments=get_attachments(stop))

    @frappe.whitelist()
def get_rendered_raw_commands(doc, name=None, print_format=None, meta=None, lang=None):
	"""Returns Rendered Raw Commands of print format, used to send directly to printer"""

	if isinstance(doc, string_types) and isinstance(name, string_types):
		doc = frappe.get_doc(doc, name)

	if isinstance(doc, string_types):
		doc = frappe.get_doc(json.loads(doc))

	print_format = get_print_format_doc(print_format, meta=meta or frappe.get_meta(doc.doctype))

	if not print_format or (print_format and not print_format.raw_printing):
		frappe.throw(_("{0} is not a raw printing format.").format(print_format),
				frappe.TemplateNotFoundError)

	return {
		"raw_commands": get_rendered_template(doc, name=name, print_format=print_format, meta=meta)
	}

    In Letterhead for print previews (exploitable)

    if letter_head.content:
		letter_head.content = frappe.utils.jinja.render_template(letter_head.content, {"doc": doc.as_dict()})

	if letter_head.footer:
		letter_head.footer = frappe.utils.jinja.render_template(letter_head.footer, {"doc": doc.as_dict()})

    Twitter, Facebook