Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
frappe frappe vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2023-42807
Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of t...
Frappe Frappe Lms
9.8
CVSSv3
CVE-2019-14965
An issue exists in Frappe Framework 10 through 12 prior to 12.0.4. A server side template injection (SSTI) issue exists.
Frappe Frappe
1 Github repository
8.8
CVSSv3
CVE-2020-6145
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Frappe Erpnext 11.1.38
8.8
CVSSv3
CVE-2019-14966
An issue exists in Frappe Framework 10 through 12 prior to 12.0.4. There exists an authenticated SQL injection.
Frappe Frappe
8.8
CVSSv3
CVE-2017-1000120
[ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter.
Frappe Frappe
7.5
CVSSv3
CVE-2023-41328
Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0. Users...
Frappe Frappe
7.5
CVSSv3
CVE-2020-27508
In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security.
Frappe Frappe
7.5
CVSSv3
CVE-2019-20529
In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files.
Frappe Frappe 11.0.0
Frappe Frappe 12.0.0
7.5
CVSSv3
CVE-2018-20061
A SQL injection issue exists in ERPNext 10.x and 11.x up to and including 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaSc...
Frappe Erpnext
Frappe Erpnext 11.0.3
6.5
CVSSv3
CVE-2022-41712
Frappe version 14.10.0 allows an external malicious user to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter.
Frappe Frappe 14.10.0
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-29895
blind SQL injection
CVE-2024-5064
CVE-2023-52677
CVE-2023-52682
CVE-2024-30051
CVE-2024-35849
remote attackers
remote
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
NEXT »