Vulnerabilites related to frappe - frappe
CVE-2025-52895 (GCVE-0-2025-52895)
Vulnerability from cvelistv5
Published
2025-06-30 17:05
Modified
2025-06-30 20:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There are no workarounds for this issue other than upgrading.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-mhj8-jfhf-mcw9 | x_refsource_CONFIRM | |
| https://github.com/frappe/frappe/pull/31526 | x_refsource_MISC | |
| https://github.com/frappe/frappe/commit/c795e351be033070174437324d74f44759a744a6 | x_refsource_MISC | |
| https://github.com/frappe/frappe/commit/f0933590103c80c6393647dd0403d399e64c951c | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-30T20:40:36.810700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T20:40:43.365Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.58.0"
},
{
"status": "affected",
"version": "\u003c 14.94.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There are no workarounds for this issue other than upgrading."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T17:05:36.027Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-mhj8-jfhf-mcw9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-mhj8-jfhf-mcw9"
},
{
"name": "https://github.com/frappe/frappe/pull/31526",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/31526"
},
{
"name": "https://github.com/frappe/frappe/commit/c795e351be033070174437324d74f44759a744a6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/c795e351be033070174437324d74f44759a744a6"
},
{
"name": "https://github.com/frappe/frappe/commit/f0933590103c80c6393647dd0403d399e64c951c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/f0933590103c80c6393647dd0403d399e64c951c"
}
],
"source": {
"advisory": "GHSA-mhj8-jfhf-mcw9",
"discovery": "UNKNOWN"
},
"title": "Frappe possibility of SQL injection due to improper validations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52895",
"datePublished": "2025-06-30T17:05:36.027Z",
"dateReserved": "2025-06-20T17:42:25.710Z",
"dateUpdated": "2025-06-30T20:40:43.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30212 (GCVE-0-2025-30212)
Vulnerability from cvelistv5
Published
2025-03-25 14:21
Modified
2025-03-25 14:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Frappe is a full-stack web application framework. An SQL Injection vulnerability has been identified in Frappe Framework prior to versions 14.89.0 and 15.51.0 which could allow a malicious actor to access sensitive information. Versions 14.89.0 and 15.51.0 fix the issue. Upgrading is required; no other workaround is present.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-3hj6-r5c9-q8f3 | x_refsource_CONFIRM | |
| https://github.com/frappe/frappe/commit/27f13437db161a173137d91cd07d0f9287d7c556 | x_refsource_MISC | |
| https://github.com/frappe/frappe/commit/2ebd88520ecfa9bb7d3392b7de8c8f94a86ec05c | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-25T14:41:32.152461Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T14:41:42.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 14.89.0"
},
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c 15.51.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. An SQL Injection vulnerability has been identified in Frappe Framework prior to versions 14.89.0 and 15.51.0 which could allow a malicious actor to access sensitive information. Versions 14.89.0 and 15.51.0 fix the issue. Upgrading is required; no other workaround is present."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T14:21:32.405Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-3hj6-r5c9-q8f3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-3hj6-r5c9-q8f3"
},
{
"name": "https://github.com/frappe/frappe/commit/27f13437db161a173137d91cd07d0f9287d7c556",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/27f13437db161a173137d91cd07d0f9287d7c556"
},
{
"name": "https://github.com/frappe/frappe/commit/2ebd88520ecfa9bb7d3392b7de8c8f94a86ec05c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/2ebd88520ecfa9bb7d3392b7de8c8f94a86ec05c"
}
],
"source": {
"advisory": "GHSA-3hj6-r5c9-q8f3",
"discovery": "UNKNOWN"
},
"title": "Frappe has possibility of SQL injection due to improper validations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30212",
"datePublished": "2025-03-25T14:21:32.405Z",
"dateReserved": "2025-03-18T18:15:13.850Z",
"dateUpdated": "2025-03-25T14:41:42.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30217 (GCVE-0-2025-30217)
Vulnerability from cvelistv5
Published
2025-03-26 16:18
Modified
2025-03-31 13:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for the issue. No known workarounds are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-6phg-4wmq-h5h3 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T17:10:27.573557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T18:05:18.778Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 14.93.2"
},
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c 15.55.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for the issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T13:12:27.821Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-6phg-4wmq-h5h3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-6phg-4wmq-h5h3"
}
],
"source": {
"advisory": "GHSA-6phg-4wmq-h5h3",
"discovery": "UNKNOWN"
},
"title": "Frappe has possibility of SQL injection due to improper validations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30217",
"datePublished": "2025-03-26T16:18:31.638Z",
"dateReserved": "2025-03-18T18:15:13.850Z",
"dateUpdated": "2025-03-31T13:12:27.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23058 (GCVE-0-2022-23058)
Vulnerability from cvelistv5
Published
2022-06-22 07:30
Modified
2024-09-16 17:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 | x_refsource_MISC | |
| https://www.mend.io/vulnerability-database/CVE-2022-23058 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:43.321Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23058"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "v12.0.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "v13.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"datePublic": "2022-05-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the \u2018username\u2019 field in \u2018my settings\u2019 which can lead to full account takeover."
}
],
"metrics": [
{
"other": {
"content": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": 3.1
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-22T07:30:21",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23058"
}
],
"solutions": [
{
"lang": "en",
"value": "Update version to v13.1.0 or later"
}
],
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "ERPNext - Stored XSS in My Settings",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "May 19, 2022, 12:00:00 AM",
"ID": "CVE-2022-23058",
"STATE": "PUBLIC",
"TITLE": "ERPNext - Stored XSS in My Settings"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "frappe",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "v12.0.9"
},
{
"version_affected": "\u003c=",
"version_value": "v13.0.3"
}
]
}
}
]
},
"vendor_name": "frappe"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the \u2018username\u2019 field in \u2018my settings\u2019 which can lead to full account takeover."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": 3.1
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
},
{
"name": "https://www.mend.io/vulnerability-database/CVE-2022-23058",
"refsource": "MISC",
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23058"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update version to v13.1.0 or later"
}
],
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-23058",
"datePublished": "2022-06-22T07:30:21.429229Z",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-09-16T17:37:58.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24813 (GCVE-0-2024-24813)
Vulnerability from cvelistv5
Published
2024-03-20 18:11
Modified
2024-08-05 19:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"lessThan": "14.64.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T18:29:09.001899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T19:24:50.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 14.64.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn\u0027t have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-20T18:11:34.165Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh"
}
],
"source": {
"advisory": "GHSA-fxfv-7gwx-54jh",
"discovery": "UNKNOWN"
},
"title": "Frappe SQL Injection from reporting logic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24813",
"datePublished": "2024-03-20T18:11:34.165Z",
"dateReserved": "2024-01-31T16:28:17.941Z",
"dateUpdated": "2024-08-05T19:24:50.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-14965 (GCVE-0-2019-14965)
Vulnerability from cvelistv5
Published
2019-08-12 17:21
Modified
2024-08-05 00:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/pull/8044 | x_refsource_MISC | |
| https://github.com/frappe/frappe/pull/8045 | x_refsource_MISC | |
| https://github.com/frappe/frappe/pull/8046 | x_refsource_MISC | |
| https://github.com/frappe/frappe/pull/8047 | x_refsource_MISC | |
| https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4 | x_refsource_MISC | |
| https://github.com/frappe/frappe/releases/tag/v12.0.4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:52.391Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/8044"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/8045"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/8046"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/8047"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/releases/tag/v12.0.4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-12T17:21:58",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/8044"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/8045"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/8046"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/8047"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v12.0.4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14965",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/frappe/frappe/pull/8044",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/8044"
},
{
"name": "https://github.com/frappe/frappe/pull/8045",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/8045"
},
{
"name": "https://github.com/frappe/frappe/pull/8046",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/8046"
},
{
"name": "https://github.com/frappe/frappe/pull/8047",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/8047"
},
{
"name": "https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v12.0.4",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/releases/tag/v12.0.4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14965",
"datePublished": "2019-08-12T17:21:58",
"dateReserved": "2019-08-12T00:00:00",
"dateUpdated": "2024-08-05T00:34:52.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52896 (GCVE-0-2025-52896)
Vulnerability from cvelistv5
Published
2025-06-30 17:12
Modified
2025-06-30 20:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-hv29-66qg-2v6p | x_refsource_CONFIRM | |
| https://github.com/frappe/frappe/pull/31483 | x_refsource_MISC | |
| https://github.com/frappe/frappe/commit/152fd09de5bca16b8d299d715a1f5df6fca3866f | x_refsource_MISC | |
| https://github.com/frappe/frappe/commit/f11c53d4df745b58bd1c1c08e1634a2f5a55322a | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52896",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-30T20:39:32.414653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T20:39:38.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.57.0"
},
{
"status": "affected",
"version": "\u003c 14.94.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T17:12:50.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-hv29-66qg-2v6p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-hv29-66qg-2v6p"
},
{
"name": "https://github.com/frappe/frappe/pull/31483",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/31483"
},
{
"name": "https://github.com/frappe/frappe/commit/152fd09de5bca16b8d299d715a1f5df6fca3866f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/152fd09de5bca16b8d299d715a1f5df6fca3866f"
},
{
"name": "https://github.com/frappe/frappe/commit/f11c53d4df745b58bd1c1c08e1634a2f5a55322a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/f11c53d4df745b58bd1c1c08e1634a2f5a55322a"
}
],
"source": {
"advisory": "GHSA-hv29-66qg-2v6p",
"discovery": "UNKNOWN"
},
"title": "Frappe authenticated XSS via data import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52896",
"datePublished": "2025-06-30T17:12:50.590Z",
"dateReserved": "2025-06-20T17:42:25.710Z",
"dateUpdated": "2025-06-30T20:39:38.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-14967 (GCVE-0-2019-14967)
Vulnerability from cvelistv5
Published
2019-08-12 17:21
Modified
2024-08-05 00:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/pull/7981 | x_refsource_MISC | |
| https://github.com/frappe/frappe/releases/tag/v11.1.46 | x_refsource_MISC | |
| https://github.com/frappe/frappe/compare/v11.1.45...v11.1.46 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:52.593Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/7981"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/releases/tag/v11.1.46"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/compare/v11.1.45...v11.1.46"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-12T17:21:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/7981"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v11.1.46"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/compare/v11.1.45...v11.1.46"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14967",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/frappe/frappe/pull/7981",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/7981"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v11.1.46",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/releases/tag/v11.1.46"
},
{
"name": "https://github.com/frappe/frappe/compare/v11.1.45...v11.1.46",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/compare/v11.1.45...v11.1.46"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14967",
"datePublished": "2019-08-12T17:21:30",
"dateReserved": "2019-08-12T00:00:00",
"dateUpdated": "2024-08-05T00:34:52.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27105 (GCVE-0-2024-27105)
Vulnerability from cvelistv5
Published
2024-03-20 18:11
Modified
2024-08-02 17:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.402Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"lessThan": "14.66.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:frappe:frappe:15.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"lessThan": "15.16.0",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T17:32:55.953364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T17:38:02.805Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 14.66.3"
},
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c 15.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-20T18:11:58.069Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw"
}
],
"source": {
"advisory": "GHSA-hq5v-q29v-7rcw",
"discovery": "UNKNOWN"
},
"title": "Frappe File Permissions can by bypassed using certain endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27105",
"datePublished": "2024-03-20T18:11:58.069Z",
"dateReserved": "2024-02-19T14:43:05.994Z",
"dateUpdated": "2024-08-02T17:38:02.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30214 (GCVE-0-2025-30214)
Vulnerability from cvelistv5
Published
2025-03-25 15:05
Modified
2025-03-25 15:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There's no workaround to fix this without upgrading.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-qrv3-jc3h-f3m6 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30214",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-25T15:52:19.405844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T15:52:36.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 14.89.0"
},
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c 15.51.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There\u0027s no workaround to fix this without upgrading."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T15:05:42.656Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-qrv3-jc3h-f3m6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-qrv3-jc3h-f3m6"
}
],
"source": {
"advisory": "GHSA-qrv3-jc3h-f3m6",
"discovery": "UNKNOWN"
},
"title": "Frappe vulnerable to information disclosure leading to account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30214",
"datePublished": "2025-03-25T15:05:42.656Z",
"dateReserved": "2025-03-18T18:15:13.850Z",
"dateUpdated": "2025-03-25T15:52:36.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46127 (GCVE-0-2023-46127)
Vulnerability from cvelistv5
Published
2023-10-23 14:29
Modified
2024-09-11 15:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been patched in version 14.49.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-j2w9-8xrr-7g98 | x_refsource_CONFIRM | |
| https://github.com/frappe/frappe/pull/22339 | x_refsource_MISC | |
| https://github.com/frappe/frappe/commit/3dc5d2fcc7561dde181ba953009fe6e39d64e900 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.327Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-j2w9-8xrr-7g98",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-j2w9-8xrr-7g98"
},
{
"name": "https://github.com/frappe/frappe/pull/22339",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/22339"
},
{
"name": "https://github.com/frappe/frappe/commit/3dc5d2fcc7561dde181ba953009fe6e39d64e900",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/commit/3dc5d2fcc7561dde181ba953009fe6e39d64e900"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T15:23:27.566716Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T15:23:48.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 14.49.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been patched in version 14.49.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T14:29:01.888Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-j2w9-8xrr-7g98",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-j2w9-8xrr-7g98"
},
{
"name": "https://github.com/frappe/frappe/pull/22339",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/22339"
},
{
"name": "https://github.com/frappe/frappe/commit/3dc5d2fcc7561dde181ba953009fe6e39d64e900",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/3dc5d2fcc7561dde181ba953009fe6e39d64e900"
}
],
"source": {
"advisory": "GHSA-j2w9-8xrr-7g98",
"discovery": "UNKNOWN"
},
"title": "Frappe vulnerable to HTML injection by any Desk user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46127",
"datePublished": "2023-10-23T14:29:01.888Z",
"dateReserved": "2023-10-16T17:51:35.572Z",
"dateUpdated": "2024-09-11T15:23:48.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3988 (GCVE-0-2022-3988)
Vulnerability from cvelistv5
Published
2022-11-14 00:00
Modified
2025-04-15 13:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-707 - Improper Neutralization -> CWE-74 Injection -> CWE-79 Cross Site Scripting
Summary
A vulnerability was found in Frappe. It has been rated as problematic. Affected by this issue is some unknown functionality of the file frappe/templates/includes/navbar/navbar_search.html of the component Search. The manipulation of the argument q leads to cross site scripting. The attack may be launched remotely. The name of the patch is bfab7191543961c6cb77fe267063877c31b616ce. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-213560.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| unspecified | Frappe |
Version: n/a |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.141Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/18847"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/frappe/frappe/commit/bfab7191543961c6cb77fe267063877c31b616ce"
},
{
"tags": [
"x_transferred"
],
"url": "https://vuldb.com/?id.213560"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3988",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:05:12.336140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T13:14:17.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Frappe",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Frappe. It has been rated as problematic. Affected by this issue is some unknown functionality of the file frappe/templates/includes/navbar/navbar_search.html of the component Search. The manipulation of the argument q leads to cross site scripting. The attack may be launched remotely. The name of the patch is bfab7191543961c6cb77fe267063877c31b616ce. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-213560."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-707",
"description": "CWE-707 Improper Neutralization -\u003e CWE-74 Injection -\u003e CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-14T00:00:00.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"url": "https://github.com/frappe/frappe/pull/18847"
},
{
"url": "https://github.com/frappe/frappe/commit/bfab7191543961c6cb77fe267063877c31b616ce"
},
{
"url": "https://vuldb.com/?id.213560"
}
],
"title": "Frappe Search navbar_search.html cross site scripting",
"x_generator": "vuldb.com"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2022-3988",
"datePublished": "2022-11-14T00:00:00.000Z",
"dateReserved": "2022-11-14T00:00:00.000Z",
"dateUpdated": "2025-04-15T13:14:17.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55732 (GCVE-0-2025-55732)
Vulnerability from cvelistv5
Published
2025-08-20 15:22
Modified
2025-08-20 15:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released for CVE-2025-52895. This vulnerability is fixed in 15.74.2 and 14.96.15.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-6rpr-2hjx-w9vp | x_refsource_CONFIRM | |
| https://github.com/frappe/frappe/commit/24dd2d9420a7c68ce09875cb18586d1bf071c857 | x_refsource_MISC | |
| https://github.com/frappe/frappe/commit/abe2cc25e333cd794405d12caec4da0279a54e6e | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55732",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T15:45:12.513044Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:45:41.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c 15.74.2"
},
{
"status": "affected",
"version": "\u003c 14.96.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released for CVE-2025-52895. This vulnerability is fixed in 15.74.2 and 14.96.15."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:22:21.091Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-6rpr-2hjx-w9vp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-6rpr-2hjx-w9vp"
},
{
"name": "https://github.com/frappe/frappe/commit/24dd2d9420a7c68ce09875cb18586d1bf071c857",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/24dd2d9420a7c68ce09875cb18586d1bf071c857"
},
{
"name": "https://github.com/frappe/frappe/commit/abe2cc25e333cd794405d12caec4da0279a54e6e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/abe2cc25e333cd794405d12caec4da0279a54e6e"
}
],
"source": {
"advisory": "GHSA-6rpr-2hjx-w9vp",
"discovery": "UNKNOWN"
},
"title": "Frappe has the possibility of SQL Injection due to improper validations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55732",
"datePublished": "2025-08-20T15:22:21.091Z",
"dateReserved": "2025-08-14T22:31:17.682Z",
"dateUpdated": "2025-08-20T15:45:41.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55731 (GCVE-0-2025-55731)
Vulnerability from cvelistv5
Published
2025-08-20 15:22
Modified
2025-08-20 15:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-5p8f-568f-vfq2 | x_refsource_CONFIRM | |
| https://github.com/frappe/frappe/commit/93ee30c638bf7a7e33e2937a0adccac14c38b410 | x_refsource_MISC | |
| https://github.com/frappe/frappe/commit/c2b01e3eb6f50e9bd05df0440f5cbf5dfbc1badd | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T15:46:54.268817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:47:04.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 14.96.15"
},
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c 15.74.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:22:16.058Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-5p8f-568f-vfq2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-5p8f-568f-vfq2"
},
{
"name": "https://github.com/frappe/frappe/commit/93ee30c638bf7a7e33e2937a0adccac14c38b410",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/93ee30c638bf7a7e33e2937a0adccac14c38b410"
},
{
"name": "https://github.com/frappe/frappe/commit/c2b01e3eb6f50e9bd05df0440f5cbf5dfbc1badd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/c2b01e3eb6f50e9bd05df0440f5cbf5dfbc1badd"
}
],
"source": {
"advisory": "GHSA-5p8f-568f-vfq2",
"discovery": "UNKNOWN"
},
"title": "Frappe has the possibility of Authenticated SQL Injection due to improper validations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55731",
"datePublished": "2025-08-20T15:22:16.058Z",
"dateReserved": "2025-08-14T22:31:17.682Z",
"dateUpdated": "2025-08-20T15:47:04.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23055 (GCVE-0-2022-23055)
Vulnerability from cvelistv5
Published
2022-06-22 08:25
Modified
2024-09-16 17:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:43.287Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23055"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "v11.0.3-beta.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "v13.14.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"datePublic": "2022-03-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users."
}
],
"metrics": [
{
"other": {
"content": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": 3.1
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-30T17:56:47",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23055"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155"
}
],
"solutions": [
{
"lang": "en",
"value": "Update version to v13.1.0 or later"
}
],
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "ERPNext - Improper user access conrol",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "Mar 9, 2022, 12:00:00 AM",
"ID": "CVE-2022-23055",
"STATE": "PUBLIC",
"TITLE": "ERPNext - Improper user access conrol"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "frappe",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "v11.0.3-beta.1"
},
{
"version_affected": "\u003c=",
"version_value": "v13.14.1"
}
]
}
}
]
},
"vendor_name": "frappe"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": 3.1
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mend.io/vulnerability-database/CVE-2022-23055",
"refsource": "MISC",
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23055"
},
{
"name": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134"
},
{
"name": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update version to v13.1.0 or later"
}
],
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-23055",
"datePublished": "2022-06-22T08:25:10.197361Z",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-09-16T17:53:19.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15700 (GCVE-0-2019-15700)
Vulnerability from cvelistv5
Published
2019-08-27 17:17
Modified
2024-08-05 00:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted "changed value of" text.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/pull/8262 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:56:22.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/8262"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted \"changed value of\" text."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-27T17:17:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/8262"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15700",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted \"changed value of\" text."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/frappe/frappe/pull/8262",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/8262"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15700",
"datePublished": "2019-08-27T17:17:30",
"dateReserved": "2019-08-27T00:00:00",
"dateUpdated": "2024-08-05T00:56:22.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52898 (GCVE-0-2025-52898)
Vulnerability from cvelistv5
Published
2025-06-30 17:19
Modified
2025-06-30 18:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j | x_refsource_CONFIRM | |
| https://github.com/frappe/frappe/pull/31522 | x_refsource_MISC | |
| https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2 | x_refsource_MISC | |
| https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52898",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-30T18:01:08.276711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T18:01:16.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.58.0"
},
{
"status": "affected",
"version": "\u003c 14.94.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user\u0027s password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T17:19:31.543Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j"
},
{
"name": "https://github.com/frappe/frappe/pull/31522",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/31522"
},
{
"name": "https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2"
},
{
"name": "https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66"
}
],
"source": {
"advisory": "GHSA-p284-r7rh-wq7j",
"discovery": "UNKNOWN"
},
"title": "Frappe account takeover via password reset token leakage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52898",
"datePublished": "2025-06-30T17:19:31.543Z",
"dateReserved": "2025-06-20T17:42:25.710Z",
"dateUpdated": "2025-06-30T18:01:16.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41712 (GCVE-0-2022-41712)
Vulnerability from cvelistv5
Published
2022-11-25 00:00
Modified
2025-04-29 14:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Lack of data validation - Path Traversal
Summary
Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/kiniza/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/frappe/frappe/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-41712",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T14:40:22.857994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T14:41:11.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Frappe",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "14.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Lack of data validation - Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-25T00:00:00.000Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/kiniza/"
},
{
"url": "https://github.com/frappe/frappe/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-41712",
"datePublished": "2022-11-25T00:00:00.000Z",
"dateReserved": "2022-09-28T00:00:00.000Z",
"dateUpdated": "2025-04-29T14:41:11.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20529 (GCVE-0-2019-20529)
Vulnerability from cvelistv5
Published
2020-03-18 17:30
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/pull/8884 | x_refsource_MISC | |
| https://github.com/frappe/frappe/pull/8885 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:10.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/8884"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/8885"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-18T17:30:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/8884"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/8885"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20529",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/frappe/frappe/pull/8884",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/8884"
},
{
"name": "https://github.com/frappe/frappe/pull/8885",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/8885"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20529",
"datePublished": "2020-03-18T17:30:31",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:10.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27508 (GCVE-0-2020-27508)
Vulnerability from cvelistv5
Published
2020-12-11 15:13
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/pull/11263 | x_refsource_MISC | |
| https://github.com/frappe/frappe/pull/11262 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:44.347Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/11263"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/11262"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-11T15:13:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/11263"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/11262"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27508",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/frappe/frappe/pull/11263",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/11263"
},
{
"name": "https://github.com/frappe/frappe/pull/11262",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/11262"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27508",
"datePublished": "2020-12-11T15:13:30",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:44.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34074 (GCVE-0-2024-34074)
Vulnerability from cvelistv5
Published
2024-05-09 14:25
Modified
2024-08-02 02:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and 14.74.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-7g27-q225-j894 | x_refsource_CONFIRM | |
| https://github.com/frappe/frappe/pull/26304 | x_refsource_MISC | |
| https://github.com/frappe/frappe/commit/65b3c42635038cdff17d3109be6c373bac004829 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T17:18:37.160397Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:41:36.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:43:00.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-7g27-q225-j894",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-7g27-q225-j894"
},
{
"name": "https://github.com/frappe/frappe/pull/26304",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/26304"
},
{
"name": "https://github.com/frappe/frappe/commit/65b3c42635038cdff17d3109be6c373bac004829",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/commit/65b3c42635038cdff17d3109be6c373bac004829"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c= 15.25.0"
},
{
"status": "affected",
"version": "\u003c= 14.73.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and 14.74.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T14:25:25.979Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-7g27-q225-j894",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-7g27-q225-j894"
},
{
"name": "https://github.com/frappe/frappe/pull/26304",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/26304"
},
{
"name": "https://github.com/frappe/frappe/commit/65b3c42635038cdff17d3109be6c373bac004829",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/65b3c42635038cdff17d3109be6c373bac004829"
}
],
"source": {
"advisory": "GHSA-7g27-q225-j894",
"discovery": "UNKNOWN"
},
"title": "Frappe vuilnerable to an open redirect on login page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34074",
"datePublished": "2024-05-09T14:25:25.979Z",
"dateReserved": "2024-04-30T06:56:33.382Z",
"dateUpdated": "2024-08-02T02:43:00.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30213 (GCVE-0-2025-30213)
Vulnerability from cvelistv5
Published
2025-03-25 14:55
Modified
2025-03-25 15:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Frappe is a full-stack web application framework. Prior to versions 14.91.0 and 15.52.0, a system user was able to create certain documents in a specific way that could lead to remote code execution. Versions 14.9.1 and 15.52.0 contain a patch for the vulnerability. There's no workaround; an upgrade is required.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-v342-4xr9-x3q3 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-25T15:04:20.837085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T15:04:26.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 14.91.0"
},
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c 15.52.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.91.0 and 15.52.0, a system user was able to create certain documents in a specific way that could lead to remote code execution. Versions 14.9.1 and 15.52.0 contain a patch for the vulnerability. There\u0027s no workaround; an upgrade is required."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T14:55:04.949Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-v342-4xr9-x3q3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-v342-4xr9-x3q3"
}
],
"source": {
"advisory": "GHSA-v342-4xr9-x3q3",
"discovery": "UNKNOWN"
},
"title": "Frappe has Possibility of Remote Code Execution due to improper validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30213",
"datePublished": "2025-03-25T14:55:04.949Z",
"dateReserved": "2025-03-18T18:15:13.850Z",
"dateUpdated": "2025-03-25T15:04:26.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-35175 (GCVE-0-2020-35175)
Vulnerability from cvelistv5
Published
2020-12-11 22:10
Modified
2024-08-04 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/pull/11237 | x_refsource_MISC | |
| https://github.com/frappe/frappe/pull/11228 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:02:06.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/11237"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/11228"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-11T22:10:40",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/11237"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/11228"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35175",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/frappe/frappe/pull/11237",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/11237"
},
{
"name": "https://github.com/frappe/frappe/pull/11228",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/11228"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35175",
"datePublished": "2020-12-11T22:10:40",
"dateReserved": "2020-12-11T00:00:00",
"dateUpdated": "2024-08-04T17:02:06.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41328 (GCVE-0-2023-41328)
Vulnerability from cvelistv5
Published
2023-09-06 17:46
Modified
2024-09-26 15:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0. Users are advised to upgrade. There's no workaround to fix this without upgrading.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-53wh-f67g-9679 | x_refsource_CONFIRM | |
| https://github.com/frappe/frappe/releases/tag/v13.46.1 | x_refsource_MISC | |
| https://github.com/frappe/frappe/releases/tag/v14.20.0 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:01:33.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-53wh-f67g-9679",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-53wh-f67g-9679"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v13.46.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/releases/tag/v13.46.1"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v14.20.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/releases/tag/v14.20.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T14:48:10.238797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T15:23:38.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 13.46.1 "
},
{
"status": "affected",
"version": "\u003e= 14.0.0, \u003c 14.20.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0. Users are advised to upgrade. There\u0027s no workaround to fix this without upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-06T17:46:45.689Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-53wh-f67g-9679",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-53wh-f67g-9679"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v13.46.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v13.46.1"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v14.20.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v14.20.0"
}
],
"source": {
"advisory": "GHSA-53wh-f67g-9679",
"discovery": "UNKNOWN"
},
"title": "Possibility limited SQL injection due to insufficient validation in Frappe"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41328",
"datePublished": "2023-09-06T17:46:45.689Z",
"dateReserved": "2023-08-28T16:56:43.366Z",
"dateUpdated": "2024-09-26T15:23:38.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24812 (GCVE-0-2024-24812)
Vulnerability from cvelistv5
Published
2024-02-07 15:03
Modified
2024-08-01 23:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting (XSS) which can be used to inject malicious JS code if user clicks on a malicious link. This vulnerability has been patched in versions 14.59.0 and 15.5.0. No known workarounds are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/security/advisories/GHSA-7p3m-h76m-hg9v | x_refsource_CONFIRM | |
| https://github.com/frappe/frappe/releases/tag/v14.59.0 | x_refsource_MISC | |
| https://github.com/frappe/frappe/releases/tag/v15.5.0 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24812",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T18:43:06.695783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:43:12.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.777Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-7p3m-h76m-hg9v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-7p3m-h76m-hg9v"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v14.59.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/releases/tag/v14.59.0"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v15.5.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/releases/tag/v15.5.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 14.59.0"
},
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c 15.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting (XSS) which can be used to inject malicious JS code if user clicks on a malicious link. This vulnerability has been patched in versions 14.59.0 and 15.5.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-07T15:03:29.677Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-7p3m-h76m-hg9v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-7p3m-h76m-hg9v"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v14.59.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v14.59.0"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v15.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v15.5.0"
}
],
"source": {
"advisory": "GHSA-7p3m-h76m-hg9v",
"discovery": "UNKNOWN"
},
"title": "Frappe Authenticated Reflected Cross site scripting (XSS) in portal pages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24812",
"datePublished": "2024-02-07T15:03:29.677Z",
"dateReserved": "2024-01-31T16:28:17.941Z",
"dateUpdated": "2024-08-01T23:28:12.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23057 (GCVE-0-2022-23057)
Vulnerability from cvelistv5
Published
2022-06-22 07:25
Modified
2024-09-16 17:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.mend.io/vulnerability-database/CVE-2022-23057 | x_refsource_MISC | |
| https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:43.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23057"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "v12.0.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "v13.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"datePublic": "2022-05-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile."
}
],
"metrics": [
{
"other": {
"content": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": 3.1
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-22T07:25:11",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23057"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
}
],
"solutions": [
{
"lang": "en",
"value": "Update version to v13.1.0 or later"
}
],
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "ERPNext - Stored XSS in My Profile",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "May 18, 2022, 12:00:00 AM",
"ID": "CVE-2022-23057",
"STATE": "PUBLIC",
"TITLE": "ERPNext - Stored XSS in My Profile"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "frappe",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "v12.0.9"
},
{
"version_affected": "\u003c=",
"version_value": "v13.0.3"
}
]
}
}
]
},
"vendor_name": "frappe"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": 3.1
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mend.io/vulnerability-database/CVE-2022-23057",
"refsource": "MISC",
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23057"
},
{
"name": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update version to v13.1.0 or later"
}
],
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-23057",
"datePublished": "2022-06-22T07:25:11.161456Z",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-09-16T17:14:26.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-1000120 (GCVE-0-2017-1000120)
Vulnerability from cvelistv5
Published
2017-10-04 01:00
Modified
2024-09-17 01:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
[ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://tech.mantz-it.com/2016/12/sql-injection-in-frappe-framework.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:53:06.902Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://tech.mantz-it.com/2016/12/sql-injection-in-frappe-framework.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2017-08-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "[ERPNext][Frappe Version \u003c= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-04T01:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://tech.mantz-it.com/2016/12/sql-injection-in-frappe-framework.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2017-08-22T17:29:33.331918",
"ID": "CVE-2017-1000120",
"REQUESTER": "fabian.ullrich@stud.tu-darmstadt.de",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "[ERPNext][Frappe Version \u003c= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://tech.mantz-it.com/2016/12/sql-injection-in-frappe-framework.html",
"refsource": "MISC",
"url": "http://tech.mantz-it.com/2016/12/sql-injection-in-frappe-framework.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-1000120",
"datePublished": "2017-10-04T01:00:00Z",
"dateReserved": "2017-10-03T00:00:00Z",
"dateUpdated": "2024-09-17T01:40:58.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-14966 (GCVE-0-2019-14966)
Vulnerability from cvelistv5
Published
2019-08-12 17:21
Modified
2024-08-05 00:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/pull/8044 | x_refsource_MISC | |
| https://github.com/frappe/frappe/pull/8045 | x_refsource_MISC | |
| https://github.com/frappe/frappe/pull/8046 | x_refsource_MISC | |
| https://github.com/frappe/frappe/pull/8047 | x_refsource_MISC | |
| https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4 | x_refsource_MISC | |
| https://github.com/frappe/frappe/releases/tag/v12.0.4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/8044"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/8045"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/8046"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/pull/8047"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/releases/tag/v12.0.4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-12T17:21:44",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/8044"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/8045"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/8046"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/8047"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v12.0.4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14966",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/frappe/frappe/pull/8044",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/8044"
},
{
"name": "https://github.com/frappe/frappe/pull/8045",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/8045"
},
{
"name": "https://github.com/frappe/frappe/pull/8046",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/8046"
},
{
"name": "https://github.com/frappe/frappe/pull/8047",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/pull/8047"
},
{
"name": "https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v12.0.4",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/releases/tag/v12.0.4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14966",
"datePublished": "2019-08-12T17:21:44",
"dateReserved": "2019-08-12T00:00:00",
"dateUpdated": "2024-08-05T00:34:53.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2020-12-11 23:15
Modified
2024-11-21 05:26
Severity ?
Summary
Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/frappe/frappe/pull/11228 | Third Party Advisory | |
| cve@mitre.org | https://github.com/frappe/frappe/pull/11237 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/pull/11228 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/pull/11237 | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0116070D-4E37-4A98-95B0-565197AB8795",
"versionEndIncluding": "12.12.0",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:13.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "0FA29C86-7D51-41DE-9E18-9932F9A0DBD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:13.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "070C124B-3E43-4EE3-B12D-EDC25DF3AD2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:13.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "48FAB577-61D8-4FAF-9FBB-05DF454454AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:13.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "5F0391DA-3197-41DC-8C3B-C65D90D4DD15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:13.0.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "DF545F24-F328-4C92-B3D3-81DF8F610B41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:13.0.0:beta6:*:*:*:*:*:*",
"matchCriteriaId": "6EBC337A-BC86-4DB7-96B8-EE89419535EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:13.0.0:beta7:*:*:*:*:*:*",
"matchCriteriaId": "C8DDFA99-5427-49BC-AA27-29AA4DD84960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:13.0.0:beta8:*:*:*:*:*:*",
"matchCriteriaId": "6FFF74A2-97F1-43B3-A30C-FBDA77B60D83",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API."
},
{
"lang": "es",
"value": "Frappe Framework versiones 12 y 13, no comprueban apropiadamente el m\u00e9todo HTTP para la API frappe.client"
}
],
"id": "CVE-2020-35175",
"lastModified": "2024-11-21T05:26:54.130",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-11T23:15:14.607",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/11228"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/11237"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/11228"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/11237"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-25 15:15
Modified
2025-08-01 15:28
Severity ?
Summary
Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There's no workaround to fix this without upgrading.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FD67F6DF-6F3F-42EA-B6CF-417FEB5F84B0",
"versionEndExcluding": "14.89.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E123DCAD-B49D-49BB-96FA-377FFEEE3103",
"versionEndExcluding": "15.51.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There\u0027s no workaround to fix this without upgrading."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaciones web integral. En versiones anteriores a la 14.89.0 y la 15.51.0, realizar solicitudes manipuladas pod\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n, lo que a su vez pod\u00eda llevar al robo de cuentas. Las versiones 14.89.0 y 15.51.0 solucionan este problema. No existe un workaround sin actualizar."
}
],
"id": "CVE-2025-30214",
"lastModified": "2025-08-01T15:28:15.670",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-03-25T15:15:26.460",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-qrv3-jc3h-f3m6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-26 17:15
Modified
2025-08-01 18:04
Severity ?
Summary
Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for the issue. No known workarounds are available.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4B53291D-EAE6-42A6-A54A-AEC2B3A797BC",
"versionEndExcluding": "14.93.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5FA59B6F-BBFD-4DC1-8D5B-133145493340",
"versionEndExcluding": "15.55.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for the issue. No known workarounds are available."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaciones web integral. Antes de las versiones 14.93.2 y 15.55.0, se identific\u00f3 una vulnerabilidad de inyecci\u00f3n SQL en Frappe Framework que podr\u00eda permitir a un actor malicioso acceder a informaci\u00f3n confidencial. Las versiones 14.93.2 y 15.55.0 incluyen un parche para este problema. No se conocen workarounds."
}
],
"id": "CVE-2025-30217",
"lastModified": "2025-08-01T18:04:46.883",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-03-26T17:15:26.740",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-6phg-4wmq-h5h3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-15 16:15
Modified
2025-09-20 02:57
Severity ?
Summary
In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the `dt` parameter.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8D6659ED-38DD-48FA-B480-675DB8ADAEFE",
"versionEndExcluding": "14.96.10",
"versionStartIncluding": "14.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24E9057E-E83C-49EE-887C-834C01990676",
"versionEndExcluding": "15.72.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the `dt` parameter."
}
],
"id": "CVE-2025-52048",
"lastModified": "2025-09-20T02:57:59.197",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-09-15T16:15:39.060",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Vietsunshine-Electronic-Solution-JSC/Vulnerability-Disclosures/blob/main/2025/Frappe%20Framework%20-%20Multiple%20SQL%20Injection.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-mggw-6xqj-rphj"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-21 02:52
Modified
2025-07-31 20:16
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B63AB31A-29DA-4A7A-8789-F97C6A9712E2",
"versionEndExcluding": "14.64.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn\u0027t have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaci\u00f3n web completo. Antes de las versiones 14.64.0 y 15.0.0, la inyecci\u00f3n SQL desde un m\u00e9todo particular incluido en la lista blanca puede dar como resultado el acceso a datos a los que el usuario no tiene permiso para acceder. Las versiones 14.64.0 y 15.0.0 contienen un parche para este problema. No hay workarounds disponibles."
}
],
"id": "CVE-2024-24813",
"lastModified": "2025-07-31T20:16:59.737",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-21T02:52:11.770",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-05 01:29
Modified
2025-04-20 01:37
Severity ?
Summary
[ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://tech.mantz-it.com/2016/12/sql-injection-in-frappe-framework.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://tech.mantz-it.com/2016/12/sql-injection-in-frappe-framework.html | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "441CDA52-92DF-4748-B45D-B7147712A349",
"versionEndIncluding": "7.1.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "[ERPNext][Frappe Version \u003c= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter."
},
{
"lang": "es",
"value": "[ERPNext][Frappe en versiones iguales o anteriores a la 7.1.27] Una vulnerabilidad de inyecci\u00f3n SQL en frappe.share.get_users permite que usuarios autenticados remotos ejecuten comandos SQL arbitrarios mediante el par\u00e1metro fields."
}
],
"id": "CVE-2017-1000120",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-05T01:29:04.760",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://tech.mantz-it.com/2016/12/sql-injection-in-frappe-framework.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://tech.mantz-it.com/2016/12/sql-injection-in-frappe-framework.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-06 18:15
Modified
2024-11-21 08:21
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0. Users are advised to upgrade. There's no workaround to fix this without upgrading.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "418BFA9F-DE58-440C-BC07-A7195C346BE5",
"versionEndExcluding": "13.46.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "257F1200-5913-42A0-B2FF-C9B7A5FDC7DD",
"versionEndExcluding": "14.20.0",
"versionStartIncluding": "14.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0. Users are advised to upgrade. There\u0027s no workaround to fix this without upgrading."
},
{
"lang": "es",
"value": "Frappe es un framework web de c\u00f3digo bajo escrito en Python y Javascript. Se ha identificado una vulnerabilidad de inyecci\u00f3n SQL en Frappe Framework que podr\u00eda permitir a un actor malintencionado acceder a informaci\u00f3n confidencial. Este problema se ha solucionado en las versiones 13.46.1 y 14.20.0. Se recomienda a los usuarios que actualicen. No hay ning\u00fan workaround para solucionar esto sin actualizar."
}
],
"id": "CVE-2023-41328",
"lastModified": "2024-11-21T08:21:05.050",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-06T18:15:09.047",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/releases/tag/v13.46.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/releases/tag/v14.20.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-53wh-f67g-9679"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/releases/tag/v13.46.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/releases/tag/v14.20.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-53wh-f67g-9679"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-08-20 16:15
Modified
2025-08-22 20:53
Severity ?
Summary
Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F3E4598B-ECB0-4264-9344-0FB6333C5065",
"versionEndExcluding": "14.96.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAD3D60D-BEC6-4207-AD31-8078145E5520",
"versionEndExcluding": "15.74.2",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaciones web integral. Una solicitud cuidadosamente manipulada podr\u00eda extraer datos a los que el usuario normalmente no tendr\u00eda acceso mediante inyecci\u00f3n SQL. Esta vulnerabilidad est\u00e1 corregida en las versiones 15.74.2 y 14.96.15."
}
],
"id": "CVE-2025-55731",
"lastModified": "2025-08-22T20:53:21.130",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-08-20T16:15:42.930",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/93ee30c638bf7a7e33e2937a0adccac14c38b410"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/c2b01e3eb6f50e9bd05df0440f5cbf5dfbc1badd"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-5p8f-568f-vfq2"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-30 17:15
Modified
2025-07-08 14:10
Severity ?
Summary
Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5C728F8-F935-48C1-A04A-61FA2D1AAE2B",
"versionEndExcluding": "14.94.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ABF7B296-EDC2-4DFB-9BCA-82B7FB169676",
"versionEndExcluding": "15.57.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaciones web integral. Antes de las versiones 14.94.2 y 15.57.0, los usuarios autenticados pod\u00edan subir archivos maliciosos cuidadosamente manipulados mediante la importaci\u00f3n de datos, lo que provocaba ataques de cross-site scripting (XSS). Este problema se ha corregido en las versiones 14.94.2 y 15.57.0. No existen soluciones alternativas aparte de actualizar."
}
],
"id": "CVE-2025-52896",
"lastModified": "2025-07-08T14:10:33.893",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-06-30T17:15:33.093",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/152fd09de5bca16b8d299d715a1f5df6fca3866f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/f11c53d4df745b58bd1c1c08e1634a2f5a55322a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/frappe/frappe/pull/31483"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-hv29-66qg-2v6p"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-12 18:15
Modified
2024-11-21 04:27
Severity ?
Summary
An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/frappe/frappe/compare/v11.1.45...v11.1.46 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/frappe/frappe/pull/7981 | Third Party Advisory | |
| cve@mitre.org | https://github.com/frappe/frappe/releases/tag/v11.1.46 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/compare/v11.1.45...v11.1.46 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/pull/7981 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/releases/tag/v11.1.46 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "689D4C92-DD56-4F8A-BAEC-82CCAF2E44E5",
"versionEndExcluding": "11.1.46",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:10.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F846A96B-67D9-4A10-8E34-EAFF68875ECB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:12.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "11D0FC72-5CC2-41BC-98B7-1E7F628D1DB6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability."
},
{
"lang": "es",
"value": "Se detecto un problema en Frappe Framework versiones 10, 11 antes de 11.1.46 y 12. Existe una vulnerabilidad XSS."
}
],
"id": "CVE-2019-14967",
"lastModified": "2024-11-21T04:27:47.400",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-12T18:15:12.317",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/compare/v11.1.45...v11.1.46"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/7981"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/releases/tag/v11.1.46"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/compare/v11.1.45...v11.1.46"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/7981"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/releases/tag/v11.1.46"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-12 18:15
Modified
2024-11-21 04:27
Severity ?
Summary
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "61790F10-780E-474F-9747-4DFA9BD2E243",
"versionEndExcluding": "12.0.4",
"versionStartIncluding": "10.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists."
},
{
"lang": "es",
"value": "Se detecto un problema en Frappe Framework versiones 10 a 12 antes de 12.0.4. Existe un problema de inyecci\u00f3n de plantilla del lado del servidor (SSTI)."
}
],
"id": "CVE-2019-14965",
"lastModified": "2024-11-21T04:27:47.077",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-12T18:15:12.113",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8044"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8045"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8046"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8047"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/releases/tag/v12.0.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8044"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8045"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8046"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8047"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/releases/tag/v12.0.4"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-05-14 15:38
Modified
2025-08-04 14:37
Severity ?
Summary
Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and 14.74.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CDB27F1-D6D1-486B-8E1A-42DCF4443970",
"versionEndExcluding": "14.74.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6B4D88-2321-491D-B015-28ACA6C6DBFC",
"versionEndExcluding": "15.26.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and 14.74.0."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaci\u00f3n web completo. Antes de 15.26.0 y 14.74.0, la p\u00e1gina de inicio de sesi\u00f3n acepta el argumento de redireccionamiento y permit\u00eda el redireccionamiento a URL externas que no son de confianza. Este comportamiento puede ser utilizado por actores malintencionados para realizar phishing. Esta vulnerabilidad se solucion\u00f3 en 15.26.0 y 14.74.0."
}
],
"id": "CVE-2024-34074",
"lastModified": "2025-08-04T14:37:59.307",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-05-14T15:38:27.850",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/65b3c42635038cdff17d3109be6c373bac004829"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/frappe/frappe/pull/26304"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-7g27-q225-j894"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/65b3c42635038cdff17d3109be6c373bac004829"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/frappe/frappe/pull/26304"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-7g27-q225-j894"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-23 15:15
Modified
2024-11-21 08:27
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been patched in version 14.49.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94A420A9-14D7-4416-96EC-AF18CD78BF09",
"versionEndExcluding": "14.49.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been patched in version 14.49.0."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaci\u00f3n web completo que utiliza Python y MariaDB en el lado del servidor y una librer\u00eda integrada en el lado del cliente. Un usuario malicioso de Frappe con acceso al escritorio podr\u00eda crear documentos que contengan cargas HTML que permitan la inyecci\u00f3n de HTML. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 14.49.0."
}
],
"id": "CVE-2023-46127",
"lastModified": "2024-11-21T08:27:56.190",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-23T15:15:09.313",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/3dc5d2fcc7561dde181ba953009fe6e39d64e900"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/frappe/frappe/pull/22339"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-j2w9-8xrr-7g98"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/3dc5d2fcc7561dde181ba953009fe6e39d64e900"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/frappe/frappe/pull/22339"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-j2w9-8xrr-7g98"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-14 11:15
Modified
2024-11-21 07:20
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability was found in Frappe. It has been rated as problematic. Affected by this issue is some unknown functionality of the file frappe/templates/includes/navbar/navbar_search.html of the component Search. The manipulation of the argument q leads to cross site scripting. The attack may be launched remotely. The name of the patch is bfab7191543961c6cb77fe267063877c31b616ce. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-213560.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | https://github.com/frappe/frappe/commit/bfab7191543961c6cb77fe267063877c31b616ce | Patch, Third Party Advisory | |
| cna@vuldb.com | https://github.com/frappe/frappe/pull/18847 | Patch, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.213560 | Permissions Required, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/commit/bfab7191543961c6cb77fe267063877c31b616ce | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/pull/18847 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.213560 | Permissions Required, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FEE080C7-760D-4F48-8CAD-22BF00B52ED6",
"versionEndIncluding": "14.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Frappe. It has been rated as problematic. Affected by this issue is some unknown functionality of the file frappe/templates/includes/navbar/navbar_search.html of the component Search. The manipulation of the argument q leads to cross site scripting. The attack may be launched remotely. The name of the patch is bfab7191543961c6cb77fe267063877c31b616ce. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-213560."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en Frappe. Ha sido calificado como problem\u00e1tico. Una funci\u00f3n desconocida del archivo frappe/templates/includes/navbar/navbar_search.html del componente Buscar es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento q conduce a cross site scripting. El ataque puede lanzarse de forma remota. El nombre del parche es bfab7191543961c6cb77fe267063877c31b616ce. Se recomienda aplicar un parche para solucionar este problema. El identificador de esta vulnerabilidad es VDB-213560."
}
],
"id": "CVE-2022-3988",
"lastModified": "2024-11-21T07:20:41.007",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-14T11:15:10.123",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/commit/bfab7191543961c6cb77fe267063877c31b616ce"
},
{
"source": "cna@vuldb.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/18847"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.213560"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/commit/bfab7191543961c6cb77fe267063877c31b616ce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/18847"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.213560"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-707"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-18 19:15
Modified
2024-11-21 04:38
Severity ?
Summary
In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/frappe/frappe/pull/8884 | Third Party Advisory | |
| cve@mitre.org | https://github.com/frappe/frappe/pull/8885 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/pull/8884 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/pull/8885 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:11.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "9AF4DCE3-CE82-475F-A747-E9052A1D783D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:12.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "11D0FC72-5CC2-41BC-98B7-1E7F628D1DB6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files."
},
{
"lang": "es",
"value": "En el archivo core/doctype/prepared_report/prepared_report.py en Frappe versiones 11 y 12, los archivos de datos generados con Prepared Report estaban siendo almacenados como archivos p\u00fablicos (ninguna autenticaci\u00f3n es requerida para acceder; teniendo un enlace es suficiente) en lugar de archivos privados."
}
],
"id": "CVE-2019-20529",
"lastModified": "2024-11-21T04:38:40.850",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-18T19:15:17.373",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8884"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8885"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8884"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8885"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
},
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-12 18:15
Modified
2024-11-21 04:27
Severity ?
Summary
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "80C1F650-D254-4FE5-8C4D-C271DB67FA55",
"versionEndIncluding": "12.0.4",
"versionStartIncluding": "10.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection."
},
{
"lang": "es",
"value": "Se detecto un problema en Frappe Framework versiones 10 a 12 antes de 12.0.4. Existe una inyecci\u00f3n SQL autenticada."
}
],
"id": "CVE-2019-14966",
"lastModified": "2024-11-21T04:27:47.233",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-12T18:15:12.240",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8044"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8045"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8046"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8047"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/releases/tag/v12.0.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8044"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8045"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8046"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8047"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/releases/tag/v12.0.4"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-25 15:15
Modified
2025-08-01 15:52
Severity ?
Summary
Frappe is a full-stack web application framework. An SQL Injection vulnerability has been identified in Frappe Framework prior to versions 14.89.0 and 15.51.0 which could allow a malicious actor to access sensitive information. Versions 14.89.0 and 15.51.0 fix the issue. Upgrading is required; no other workaround is present.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FD67F6DF-6F3F-42EA-B6CF-417FEB5F84B0",
"versionEndExcluding": "14.89.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E123DCAD-B49D-49BB-96FA-377FFEEE3103",
"versionEndExcluding": "15.51.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. An SQL Injection vulnerability has been identified in Frappe Framework prior to versions 14.89.0 and 15.51.0 which could allow a malicious actor to access sensitive information. Versions 14.89.0 and 15.51.0 fix the issue. Upgrading is required; no other workaround is present."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaciones web integral. Se ha identificado una vulnerabilidad de inyecci\u00f3n SQL en Frappe Framework anterior a las versiones 14.89.0 y 15.51.0, que podr\u00eda permitir que un atacante acceda a informaci\u00f3n confidencial. Las versiones 14.89.0 y 15.51.0 solucionan el problema. Se requiere una actualizaci\u00f3n; no hay otro workaround."
}
],
"id": "CVE-2025-30212",
"lastModified": "2025-08-01T15:52:46.720",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-03-25T15:15:26.143",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/27f13437db161a173137d91cd07d0f9287d7c556"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/2ebd88520ecfa9bb7d3392b7de8c8f94a86ec05c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-3hj6-r5c9-q8f3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-25 15:15
Modified
2025-08-01 15:29
Severity ?
Summary
Frappe is a full-stack web application framework. Prior to versions 14.91.0 and 15.52.0, a system user was able to create certain documents in a specific way that could lead to remote code execution. Versions 14.9.1 and 15.52.0 contain a patch for the vulnerability. There's no workaround; an upgrade is required.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DB7E7560-1622-49E0-9402-9EB4EF3F8446",
"versionEndExcluding": "14.91.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3DD22DEA-964A-4C6A-B495-4BB44C6A9A51",
"versionEndExcluding": "15.52.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.91.0 and 15.52.0, a system user was able to create certain documents in a specific way that could lead to remote code execution. Versions 14.9.1 and 15.52.0 contain a patch for the vulnerability. There\u0027s no workaround; an upgrade is required."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaciones web integral. Antes de las versiones 14.91.0 y 15.52.0, un usuario del sistema pod\u00eda crear ciertos documentos de una forma espec\u00edfica que pod\u00eda provocar la ejecuci\u00f3n remota de c\u00f3digo. Las versiones 14.9.1 y 15.52.0 contienen un parche para esta vulnerabilidad. No existe un workaround; se requiere una actualizaci\u00f3n."
}
],
"id": "CVE-2025-30213",
"lastModified": "2025-08-01T15:29:13.070",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-03-25T15:15:26.307",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-v342-4xr9-x3q3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-30 18:15
Modified
2025-07-08 14:43
Severity ?
Summary
Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C1A94A0B-B5E4-4F08-8817-7BC2C61922AB",
"versionEndExcluding": "14.94.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AD95653C-461E-44CD-A6D6-918E52A0A895",
"versionEndExcluding": "15.58.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user\u0027s password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaciones web integral. Antes de las versiones 14.94.3 y 15.58.0, una solicitud cuidadosamente manipulada pod\u00eda permitir que un atacante malicioso accediera al token de restablecimiento de contrase\u00f1a de un usuario. Esto solo se puede explotar en instancias alojadas en servidores propios con una configuraci\u00f3n espec\u00edfica. Los usuarios de Frappe Cloud est\u00e1n seguros. Este problema se ha corregido en las versiones 14.94.3 y 15.58.0. Las soluciones alternativas incluyen verificar las URL de restablecimiento de contrase\u00f1a antes de acceder a ellas o actualizar la versi\u00f3n para usuarios alojados en servidores propios."
}
],
"id": "CVE-2025-52898",
"lastModified": "2025-07-08T14:43:50.023",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-06-30T18:15:25.773",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/frappe/frappe/pull/31522"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-08-20 16:15
Modified
2025-08-22 20:52
Severity ?
Summary
Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released for CVE-2025-52895. This vulnerability is fixed in 15.74.2 and 14.96.15.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F3E4598B-ECB0-4264-9344-0FB6333C5065",
"versionEndExcluding": "14.96.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAD3D60D-BEC6-4207-AD31-8078145E5520",
"versionEndExcluding": "15.74.2",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released for CVE-2025-52895. This vulnerability is fixed in 15.74.2 and 14.96.15."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaciones web integral. Antes de las versiones 15.74.2 y 14.96.15, un atacante pod\u00eda implementar inyecciones SQL mediante solicitudes especialmente manipuladas, lo que permit\u00eda a usuarios malintencionados acceder a informaci\u00f3n confidencial. Esta vulnerabilidad es una evasi\u00f3n del parche oficial publicado para CVE-2025-52895. Esta vulnerabilidad se ha corregido en las versiones 15.74.2 y 14.96.15."
}
],
"id": "CVE-2025-55732",
"lastModified": "2025-08-22T20:52:02.230",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-08-20T16:15:43.127",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/24dd2d9420a7c68ce09875cb18586d1bf071c857"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/abe2cc25e333cd794405d12caec4da0279a54e6e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-6rpr-2hjx-w9vp"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-11 16:15
Modified
2024-11-21 05:21
Severity ?
Summary
In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/frappe/frappe/pull/11262 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/frappe/frappe/pull/11263 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/pull/11262 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/pull/11263 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CC9A88A7-23ED-4C37-AB13-DC70603214FC",
"versionEndExcluding": "12.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security."
},
{
"lang": "es",
"value": "En la autenticaci\u00f3n de doble factor, el sistema tambi\u00e9n env\u00eda una clave secreta 2fa en respuesta, lo que permite a un intruso violar la seguridad 2fa"
}
],
"id": "CVE-2020-27508",
"lastModified": "2024-11-21T05:21:17.230",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-11T16:15:12.167",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/11262"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/11263"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/11262"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/11263"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-07 15:15
Modified
2024-11-21 08:59
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting (XSS) which can be used to inject malicious JS code if user clicks on a malicious link. This vulnerability has been patched in versions 14.59.0 and 15.5.0. No known workarounds are available.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81278517-B286-4C42-8320-A19A817D1705",
"versionEndExcluding": "14.59.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "88151956-39A0-4C8E-8025-DCE54D8AE90B",
"versionEndExcluding": "15.5.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting (XSS) which can be used to inject malicious JS code if user clicks on a malicious link. This vulnerability has been patched in versions 14.59.0 and 15.5.0. No known workarounds are available."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaci\u00f3n web completo que utiliza Python y MariaDB en el lado del servidor y una librer\u00eda del lado del cliente estrechamente integrada. Antes de las versiones 14.59.0 y 15.5.0, las p\u00e1ginas del portal eran susceptibles a Cross-Site Scripting (XSS), que se puede utilizar para inyectar c\u00f3digo JS malicioso si el usuario hace clic en un enlace malicioso. Esta vulnerabilidad ha sido parcheada en las versiones 14.59.0 y 15.5.0. No hay workarounds disponibles."
}
],
"id": "CVE-2024-24812",
"lastModified": "2024-11-21T08:59:45.950",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-07T15:15:08.703",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/frappe/frappe/releases/tag/v14.59.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/frappe/frappe/releases/tag/v15.5.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-7p3m-h76m-hg9v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/frappe/frappe/releases/tag/v14.59.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/frappe/frappe/releases/tag/v15.5.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-7p3m-h76m-hg9v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-30 17:15
Modified
2025-07-08 14:10
Severity ?
Summary
Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There are no workarounds for this issue other than upgrading.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C1A94A0B-B5E4-4F08-8817-7BC2C61922AB",
"versionEndExcluding": "14.94.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AD95653C-461E-44CD-A6D6-918E52A0A895",
"versionEndExcluding": "15.58.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There are no workarounds for this issue other than upgrading."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaciones web integral. Antes de las versiones 14.94.3 y 15.58.0, se pod\u00eda realizar una inyecci\u00f3n SQL mediante una solicitud especialmente manipulada, lo que pod\u00eda permitir que personas malintencionadas accedieran a informaci\u00f3n confidencial. Este problema se ha corregido en las versiones 14.94.3 y 15.58.0. No existen soluciones alternativas aparte de actualizar."
}
],
"id": "CVE-2025-52895",
"lastModified": "2025-07-08T14:10:54.147",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-06-30T17:15:32.930",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/c795e351be033070174437324d74f44759a744a6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/frappe/commit/f0933590103c80c6393647dd0403d399e64c951c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/frappe/frappe/pull/31526"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-mhj8-jfhf-mcw9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-21 02:52
Modified
2025-07-31 20:23
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C41A7002-9ECC-4557-8B9A-A31136576741",
"versionEndExcluding": "14.66.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "00FD128E-B268-44B4-A6CB-820E6A694ABE",
"versionEndExcluding": "15.16.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available."
},
{
"lang": "es",
"value": "Frappe es un framework de aplicaci\u00f3n web completo. Antes de las versiones 14.66.3 y 15.16.0, los permisos de archivos se pod\u00edan omitir usando ciertos puntos finales, otorgando permiso a los usuarios menos privilegiados para eliminar o clonar un archivo. Las versiones 14.66.3 y 15.16.0 contienen un parche para este problema. No hay workarounds disponibles."
}
],
"id": "CVE-2024-27105",
"lastModified": "2025-07-31T20:23:40.647",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-21T02:52:18.373",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-27 18:15
Modified
2024-11-21 04:29
Severity ?
Summary
public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted "changed value of" text.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/frappe/frappe/pull/8262 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/pull/8262 | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "765BCD90-7CEC-49E1-ABD1-29C93FDAE736",
"versionEndIncluding": "12.0.8",
"versionStartIncluding": "12.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted \"changed value of\" text."
},
{
"lang": "es",
"value": "public/js/frappe/form/footer/timeline.js en Frappe Framework 12 a 12.0.8 no escapa al HTML en la l\u00ednea de tiempo y, por lo tanto, se ve afectado por el texto creado \"valor modificado de\"."
}
],
"id": "CVE-2019-15700",
"lastModified": "2024-11-21T04:29:17.070",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-27T18:15:11.153",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8262"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/pull/8262"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-25 18:15
Modified
2025-04-29 15:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| help@fluidattacks.com | https://fluidattacks.com/advisories/kiniza/ | Exploit, Third Party Advisory | |
| help@fluidattacks.com | https://github.com/frappe/frappe/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fluidattacks.com/advisories/kiniza/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/ | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe:14.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA1C2099-9FAF-4427-A699-8FBC840E7C37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter."
},
{
"lang": "es",
"value": "La versi\u00f3n 14.10.0 de Frappe permite a un atacante externo obtener de forma remota archivos locales arbitrarios. Esto es posible porque la aplicaci\u00f3n no valida correctamente la informaci\u00f3n inyectada por el usuario en el par\u00e1metro import_file."
}
],
"id": "CVE-2022-41712",
"lastModified": "2025-04-29T15:15:49.200",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-25T18:15:11.110",
"references": [
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/kiniza/"
},
{
"source": "help@fluidattacks.com",
"tags": [
"Product"
],
"url": "https://github.com/frappe/frappe/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/kiniza/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/frappe/frappe/"
}
],
"sourceIdentifier": "help@fluidattacks.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}