CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46127 – Frappe vulnerable to HTML injection by any Desk user
https://notcve.org/view.php?id=CVE-2023-46127
23 Oct 2023 — Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been patched in version 14.49.0. Frappe es un framework de aplicación web completo que utiliza Python y MariaDB en el lado del servidor y una librería integrada en el lado del cliente. Un usuario malicioso de Frappe con acceso al escritori... • https://github.com/frappe/frappe/commit/3dc5d2fcc7561dde181ba953009fe6e39d64e900 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5555 – Cross-site Scripting (XSS) - Generic in frappe/lms
https://notcve.org/view.php?id=CVE-2023-5555
12 Oct 2023 — Cross-site Scripting (XSS) - Generic in GitHub repository frappe/lms prior to 5614a6203fb7d438be8e2b1e3030e4528d170ec4. Cross-Site Scripting (XSS) genérico en el repositorio de GitHub frappe/lms anterior a 5614a6203fb7d438be8e2b1e3030e4528d170ec4. • https://github.com/frappe/lms/commit/5614a6203fb7d438be8e2b1e3030e4528d170ec4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42807 – Frappe LMS SQL Injection Issue on People Page
https://notcve.org/view.php?id=CVE-2023-42807
21 Sep 2023 — Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of the app. Frappe LMS es un sistema de gestión de aprendizaje de código abierto. • https://github.com/frappe/lms/security/advisories/GHSA-wvq3-3wvp-6x63 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41328 – Possibility limited SQL injection due to insufficient validation in Frappe
https://notcve.org/view.php?id=CVE-2023-41328
06 Sep 2023 — Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0. Users are advised to upgrade. There's no workaround to fix this without upgrading. • https://github.com/frappe/frappe/releases/tag/v13.46.1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41712
https://notcve.org/view.php?id=CVE-2022-41712
25 Nov 2022 — Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter. La versión 14.10.0 de Frappe permite a un atacante externo obtener de forma remota archivos locales arbitrarios. Esto es posible porque la aplicación no valida correctamente la información inyectada por el usuario en el parámetro import_file. • https://fluidattacks.com/advisories/kiniza • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3988 – Frappe Search navbar_search.html cross site scripting
https://notcve.org/view.php?id=CVE-2022-3988
14 Nov 2022 — A vulnerability was found in Frappe. It has been rated as problematic. Affected by this issue is some unknown functionality of the file frappe/templates/includes/navbar/navbar_search.html of the component Search. The manipulation of the argument q leads to cross site scripting. The attack may be launched remotely. • https://github.com/frappe/frappe/commit/bfab7191543961c6cb77fe267063877c31b616ce • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-707: Improper Neutralization •
CVSS: 6.4EPSS: 3%CPEs: 1EXPL: 4CVE-2022-28598 – ERPNext 12.29 - Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-28598
22 Aug 2022 — Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. Frappe ERPNext versión 12.29.0, es vulnerable a un ataque de tipo XSS cuando el software no neutraliza o neutraliza incorrectamente la entrada controlable por el usuario antes de colocarla en la salida que es usada como página web que sirve a otros usuarios. ERPNext version 12.29 suffers fr... • https://packetstorm.news/files/id/171730 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 38EXPL: 3CVE-2022-23055 – ERPNext - Improper user access conrol
https://notcve.org/view.php?id=CVE-2022-23055
22 Jun 2022 — In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users. En ERPNext, versiones v11.0.0-beta hasta v13.0.2, son vulnerables a una falta de autorización, en la funcionalidad chat rooms. Un atacante poco pri... • https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134 • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23058 – ERPNext - Stored XSS in My Settings
https://notcve.org/view.php?id=CVE-2022-23058
22 Jun 2022 — ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover. En ERPNext, versiones v12.0.9-v13.0.3, están afectadas por una vulnerabilidad de tipo XSS almacenada que permite a usuarios con pocos privilegios almacenar scripts maliciosos en el campo "username" en "my settings", lo que puede conllevar a una toma de control total de la cuenta • https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23056 – ERPNext - Stored XSS leads to account takover
https://notcve.org/view.php?id=CVE-2022-23056
22 Jun 2022 — In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack. En ERPNext, versiones v13.0.0-beta.13 hasta v13.30.0, son vulnerables a un ataque de tipo XSS almacenado en la página del historial del paciente, lo que permite a un usuario con pocos privilegios conducir un ataque de toma de control de la cuenta • https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/erpnext/healthcare/page/patient_history/patient_history.js#L288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •