CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3988 – Frappe Search navbar_search.html cross site scripting
https://notcve.org/view.php?id=CVE-2022-3988
14 Nov 2022 — A vulnerability was found in Frappe. It has been rated as problematic. Affected by this issue is some unknown functionality of the file frappe/templates/includes/navbar/navbar_search.html of the component Search. The manipulation of the argument q leads to cross site scripting. The attack may be launched remotely. • https://github.com/frappe/frappe/commit/bfab7191543961c6cb77fe267063877c31b616ce • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-707: Improper Neutralization •
CVSS: 5.3EPSS: 0%CPEs: 9EXPL: 0CVE-2020-35175
https://notcve.org/view.php?id=CVE-2020-35175
11 Dec 2020 — Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API. Frappe Framework versiones 12 y 13, no comprueban apropiadamente el método HTTP para la API frappe.client • https://github.com/frappe/frappe/pull/11228 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-27508
https://notcve.org/view.php?id=CVE-2020-27508
11 Dec 2020 — In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security. En la autenticación de doble factor, el sistema también envía una clave secreta 2fa en respuesta, lo que permite a un intruso violar la seguridad 2fa • https://github.com/frappe/frappe/pull/11262 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-20529
https://notcve.org/view.php?id=CVE-2019-20529
18 Mar 2020 — In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files. En el archivo core/doctype/prepared_report/prepared_report.py en Frappe versiones 11 y 12, los archivos de datos generados con Prepared Report estaban siendo almacenados como archivos públicos (ninguna autenticación es requerida para acceder; teniendo un enlace es su... • https://github.com/frappe/frappe/pull/8884 • CWE-306: Missing Authentication for Critical Function CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-15700
https://notcve.org/view.php?id=CVE-2019-15700
27 Aug 2019 — public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted "changed value of" text. public/js/frappe/form/footer/timeline.js en Frappe Framework 12 a 12.0.8 no escapa al HTML en la línea de tiempo y, por lo tanto, se ve afectado por el texto creado "valor modificado de". • https://github.com/frappe/frappe/pull/8262 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2019-14965
https://notcve.org/view.php?id=CVE-2019-14965
12 Aug 2019 — An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists. Se detecto un problema en Frappe Framework versiones 10 a 12 antes de 12.0.4. Existe un problema de inyección de plantilla del lado del servidor (SSTI). • https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2019-14966
https://notcve.org/view.php?id=CVE-2019-14966
12 Aug 2019 — An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection. Se detecto un problema en Frappe Framework versiones 10 a 12 antes de 12.0.4. Existe una inyección SQL autenticada. • https://github.com/frappe/frappe/compare/v12.0.3...v12.0.4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14967
https://notcve.org/view.php?id=CVE-2019-14967
12 Aug 2019 — An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability. Se detecto un problema en Frappe Framework versiones 10, 11 antes de 11.1.46 y 12. Existe una vulnerabilidad XSS. • https://github.com/frappe/frappe/compare/v11.1.45...v11.1.46 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000120
https://notcve.org/view.php?id=CVE-2017-1000120
04 Oct 2017 — [ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter. [ERPNext][Frappe en versiones iguales o anteriores a la 7.1.27] Una vulnerabilidad de inyección SQL en frappe.share.get_users permite que usuarios autenticados remotos ejecuten comandos SQL arbitrarios mediante el parámetro fields. • http://tech.mantz-it.com/2016/12/sql-injection-in-frappe-framework.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •