I found this site that shows a Remote Code Execution vulnerability for ERPNEXT and explains how to hack python to access system console remotely !!!
Has this been addressed ?
Thanks
1 Like
It looks like it was indeed possible for a System Manager, until Frappe v13.58.9 (included), to execute arbitrary commands in the container/server where a site is hosted.
More information: RestrictedPython vulnerable to arbitrary code execution via stack frame sandbox escape · CVE-2023-37271 · GitHub Advisory Database · GitHub