High severity8.8NVD Advisory· Published Oct 5, 2017· Updated May 13, 2026

CVE-2017-1000120

Description

[ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter.

Affected products

Frappe/Frappe
cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*
Range: <=7.1.27

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

tech.mantz-it.com/2016/12/sql-injection-in-frappe-framework.htmlnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000