VYPR

Frappe

by Frappe

pypi: frappe

Source repositories

CVEs (65)

  • CVE-2022-23055Jun 22, 2022
    risk 0.00cvss epss 0.01

    In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker…

  • CVE-2022-23058Jun 22, 2022
    risk 0.00cvss epss 0.01

    ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.

  • CVE-2022-23057Jun 22, 2022
    risk 0.00cvss epss 0.01

    In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.

  • CVE-2020-27508Dec 11, 2020
    risk 0.00cvss epss 0.01

    In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security.

  • CVE-2019-20529Mar 18, 2020
    risk 0.00cvss epss 0.01

    In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files.

Page 4 of 4