Hello,
I was playing around with some URL requests and found a concerning issue.
When using arbitrary GET requests, the error log is prompted to the user (possibly attacker).
See below. The concern on my side is, that the server tells the potential attacker at least the user name and the location of the the Frappe instance which could be exploited for other attacks.
What do others think?
How to reproduce:
Type URL in browser (example):
https://my-erpnext-domain/login?cmd=*
Response:
**
