Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
frappe vulnerabilities and exploits
(subscribe to this query)
5.4
CVSSv3
CVE-2024-24812
Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting (XSS) which can be used to inject malicious JS...
Frappe Frappe
8.8
CVSSv3
CVE-2019-14966
An issue exists in Frappe Framework 10 through 12 prior to 12.0.4. There exists an authenticated SQL injection.
Frappe Frappe
6.5
CVSSv3
CVE-2022-41712
Frappe version 14.10.0 allows an external malicious user to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter.
Frappe Frappe 14.10.0
9.8
CVSSv3
CVE-2023-42807
Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of t...
Frappe Frappe Lms
6.1
CVSSv3
CVE-2023-5555
Cross-site Scripting (XSS) - Generic in GitHub repository frappe/lms before 5614a6203fb7d438be8e2b1e3030e4528d170ec4.
Frappe Frappe Lms 1.0.0
7.5
CVSSv3
CVE-2018-20061
A SQL injection issue exists in ERPNext 10.x and 11.x up to and including 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaSc...
Frappe Erpnext
Frappe Erpnext 11.0.3
NA
CVE-2022-23055
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker c...
Frappe Erpnext 11.0.3
Frappe Erpnext
NA
CVE-2022-23056
In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.
Frappe Erpnext
Frappe Erpnext 13.0.0
5.4
CVSSv3
CVE-2022-23057
In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.
Frappe Erpnext
NA
CVE-2022-23058
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
Frappe Erpnext
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322
administrator privileges
CVE-2024-1579
hardcoded
CVE-2023-20198
CVE-2024-33587
CVE-2024-33449
CVE-2024-4308
HTML injection
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
NEXT »