Frappe: Security Vulnerabilities
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows blog?blog_category= Frame Injection.
CVSS Score
4.7
EPSS Score
0.003
Published
2020-03-18
In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-03-18
public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted "changed value of" text.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-08-27
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists.
CVSS Score
9.8
EPSS Score
0.018
Published
2019-08-12