Frappe

Erpnext

61 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.2

CVE-2025-52042

Exploit
  • EPSS 0.3%
  • Veröffentlicht 01.10.2025 15:15:46
  • Zuletzt bearbeitet 03.10.2025 16:19:08

In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injec...

8.2

CVE-2025-52040

Exploit
  • EPSS 0.3%
  • Veröffentlicht 01.10.2025 15:15:46
  • Zuletzt bearbeitet 03.10.2025 16:19:24

In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type pa...

8.2

CVE-2025-52039

Exploit
  • EPSS 0.31%
  • Veröffentlicht 01.10.2025 15:15:45
  • Zuletzt bearbeitet 03.10.2025 16:19:33

In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by inje...

6.5

CVE-2025-52050

Exploit
  • EPSS 0.24%
  • Veröffentlicht 30.09.2025 14:15:39
  • Zuletzt bearbeitet 03.10.2025 16:19:39

In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by inj...

6.5

CVE-2025-52049

Exploit
  • EPSS 0.24%
  • Veröffentlicht 30.09.2025 14:15:39
  • Zuletzt bearbeitet 03.10.2025 16:19:48

In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the...

6.5

CVE-2025-52047

Exploit
  • EPSS 0.24%
  • Veröffentlicht 30.09.2025 14:15:39
  • Zuletzt bearbeitet 03.10.2025 16:20:38

In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled para...

6.5

CVE-2025-52043

Exploit
  • EPSS 0.24%
  • Veröffentlicht 30.09.2025 14:15:39
  • Zuletzt bearbeitet 03.10.2025 16:20:49

In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting...

7.5

CVE-2025-52044

Exploit
  • EPSS 0.37%
  • Veröffentlicht 16.09.2025 00:00:00
  • Zuletzt bearbeitet 20.09.2025 02:58:35

In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into inventory_dimensions_dict parameter.

9.1

CVE-2025-58439

  • EPSS 0.29%
  • Veröffentlicht 06.09.2025 00:30:26
  • Zuletzt bearbeitet 27.10.2025 18:03:37

ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation of parameters left certain endpoints vulnerable to error-based SQL Injection. Some information like version coul...

8.1

CVE-2025-28062

Exploit
  • EPSS 0.76%
  • Veröffentlicht 05.05.2025 00:00:00
  • Zuletzt bearbeitet 17.06.2025 14:13:04

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF...