CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42807 – Frappe LMS SQL Injection Issue on People Page
https://notcve.org/view.php?id=CVE-2023-42807
21 Sep 2023 — Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of the app. Frappe LMS es un sistema de gestión de aprendizaje de código abierto. • https://github.com/frappe/lms/security/advisories/GHSA-wvq3-3wvp-6x63 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41328 – Possibility limited SQL injection due to insufficient validation in Frappe
https://notcve.org/view.php?id=CVE-2023-41328
06 Sep 2023 — Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0. Users are advised to upgrade. There's no workaround to fix this without upgrading. • https://github.com/frappe/frappe/releases/tag/v13.46.1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41712
https://notcve.org/view.php?id=CVE-2022-41712
25 Nov 2022 — Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter. La versión 14.10.0 de Frappe permite a un atacante externo obtener de forma remota archivos locales arbitrarios. Esto es posible porque la aplicación no valida correctamente la información inyectada por el usuario en el parámetro import_file. • https://fluidattacks.com/advisories/kiniza • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3988 – Frappe Search navbar_search.html cross site scripting
https://notcve.org/view.php?id=CVE-2022-3988
14 Nov 2022 — A vulnerability was found in Frappe. It has been rated as problematic. Affected by this issue is some unknown functionality of the file frappe/templates/includes/navbar/navbar_search.html of the component Search. The manipulation of the argument q leads to cross site scripting. The attack may be launched remotely. • https://github.com/frappe/frappe/commit/bfab7191543961c6cb77fe267063877c31b616ce • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-707: Improper Neutralization •
CVSS: 5.3EPSS: 0%CPEs: 9EXPL: 0CVE-2020-35175
https://notcve.org/view.php?id=CVE-2020-35175
11 Dec 2020 — Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API. Frappe Framework versiones 12 y 13, no comprueban apropiadamente el método HTTP para la API frappe.client • https://github.com/frappe/frappe/pull/11228 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-27508
https://notcve.org/view.php?id=CVE-2020-27508
11 Dec 2020 — In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security. En la autenticación de doble factor, el sistema también envía una clave secreta 2fa en respuesta, lo que permite a un intruso violar la seguridad 2fa • https://github.com/frappe/frappe/pull/11262 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-20529
https://notcve.org/view.php?id=CVE-2019-20529
18 Mar 2020 — In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files. En el archivo core/doctype/prepared_report/prepared_report.py en Frappe versiones 11 y 12, los archivos de datos generados con Prepared Report estaban siendo almacenados como archivos públicos (ninguna autenticación es requerida para acceder; teniendo un enlace es su... • https://github.com/frappe/frappe/pull/8884 • CWE-306: Missing Authentication for Critical Function CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-15700
https://notcve.org/view.php?id=CVE-2019-15700
27 Aug 2019 — public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted "changed value of" text. public/js/frappe/form/footer/timeline.js en Frappe Framework 12 a 12.0.8 no escapa al HTML en la línea de tiempo y, por lo tanto, se ve afectado por el texto creado "valor modificado de". • https://github.com/frappe/frappe/pull/8262 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2019-14965
https://notcve.org/view.php?id=CVE-2019-14965
12 Aug 2019 — An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists. Se detecto un problema en Frappe Framework versiones 10 a 12 antes de 12.0.4. Existe un problema de inyección de plantilla del lado del servidor (SSTI). • https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2019-14966
https://notcve.org/view.php?id=CVE-2019-14966
12 Aug 2019 — An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection. Se detecto un problema en Frappe Framework versiones 10 a 12 antes de 12.0.4. Existe una inyección SQL autenticada. • https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •