Frappe
by Frappe
Source repositories
CVEs (65)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-23055 | 0.00 | — | 0.01 | Jun 22, 2022 | In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker… | |||
| CVE-2022-23058 | 0.00 | — | 0.01 | Jun 22, 2022 | ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover. | |||
| CVE-2022-23057 | 0.00 | — | 0.01 | Jun 22, 2022 | In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile. | |||
| CVE-2020-27508 | 0.00 | — | 0.01 | Dec 11, 2020 | In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security. | |||
| CVE-2019-20529 | 0.00 | — | 0.01 | Mar 18, 2020 | In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files. |
- CVE-2022-23055Jun 22, 2022risk 0.00cvss —epss 0.01
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker…
- CVE-2022-23058Jun 22, 2022risk 0.00cvss —epss 0.01
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
- CVE-2022-23057Jun 22, 2022risk 0.00cvss —epss 0.01
In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.
- CVE-2020-27508Dec 11, 2020risk 0.00cvss —epss 0.01
In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security.
- CVE-2019-20529Mar 18, 2020risk 0.00cvss —epss 0.01
In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files.
Page 4 of 4