CVE-2020-27508
- EPSS 0.34%
- Veröffentlicht 11.12.2020 16:15:12
- Zuletzt bearbeitet 21.11.2024 05:21:17
In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security.
CVE-2019-20529
- EPSS 0.37%
- Veröffentlicht 18.03.2020 19:15:17
- Zuletzt bearbeitet 21.11.2024 04:38:40
In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files.
CVE-2019-15700
- EPSS 0.33%
- Veröffentlicht 27.08.2019 18:15:11
- Zuletzt bearbeitet 21.11.2024 04:29:17
public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted "changed value of" text.
CVE-2019-14967
- EPSS 0.31%
- Veröffentlicht 12.08.2019 18:15:12
- Zuletzt bearbeitet 21.11.2024 04:27:47
An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability.
CVE-2019-14966
- EPSS 1.01%
- Veröffentlicht 12.08.2019 18:15:12
- Zuletzt bearbeitet 21.11.2024 04:27:47
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection.
CVE-2019-14965
- EPSS 1.8%
- Veröffentlicht 12.08.2019 18:15:12
- Zuletzt bearbeitet 21.11.2024 04:27:47
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists.
CVE-2017-1000120
- EPSS 0.37%
- Veröffentlicht 05.10.2017 01:29:04
- Zuletzt bearbeitet 20.04.2025 01:37:25
[ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter.