By Risk Score
By Publish Date
By Recent Activity
frappe vulnerabilities and exploits
(subscribe to this query)
public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted "changed value of" text....
An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment....
1 EDB exploit available
[ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter....
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection....
An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability....
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists....
In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files....
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability....
1 Github repository available
elevation of privilege