Filtered by vendor Frappe
Subscriptions
Total
66 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-55006 | 1 Frappe | 2 Frappe Lms, Learning | 2025-10-06 | 4.3 Medium |
| Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other potentially malicious content. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. A fix for this issue is planned for version 2.34.0. | ||||
| CVE-2025-11283 | 1 Frappe | 1 Frappe Lms | 2025-10-06 | 2.4 Low |
| A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | ||||
| CVE-2025-11280 | 1 Frappe | 1 Frappe Lms | 2025-10-06 | 3.7 Low |
| A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | ||||
| CVE-2025-11282 | 1 Frappe | 1 Frappe Lms | 2025-10-06 | 2.4 Low |
| A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | ||||
| CVE-2025-11281 | 1 Frappe | 1 Frappe Lms | 2025-10-06 | 5 Medium |
| A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. You should upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | ||||
| CVE-2025-56379 | 2 Erpnext, Frappe | 3 Erpnext, Erpnext, Frappe | 2025-10-03 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field. | ||||
| CVE-2023-42807 | 1 Frappe | 1 Learning | 2025-10-03 | 6.3 Medium |
| Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of the app. | ||||
| CVE-2023-5555 | 1 Frappe | 1 Learning | 2025-10-03 | 6.1 Medium |
| Cross-site Scripting (XSS) - Generic in GitHub repository frappe/lms prior to 5614a6203fb7d438be8e2b1e3030e4528d170ec4. | ||||
| CVE-2025-52043 | 1 Frappe | 1 Erpnext | 2025-10-03 | 6.5 Medium |
| In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL query into the company parameter. | ||||
| CVE-2025-52047 | 1 Frappe | 1 Erpnext | 2025-10-03 | 6.5 Medium |
| In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled parameter. | ||||
| CVE-2025-52049 | 1 Frappe | 1 Erpnext | 2025-10-03 | 6.5 Medium |
| In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter. | ||||
| CVE-2025-52050 | 1 Frappe | 1 Erpnext | 2025-10-03 | 6.5 Medium |
| In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the expiry_date parameter. | ||||
| CVE-2025-52039 | 1 Frappe | 1 Erpnext | 2025-10-03 | 8.2 High |
| In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the txt parameter. | ||||
| CVE-2025-52040 | 1 Frappe | 1 Erpnext | 2025-10-03 | 8.2 High |
| In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter. | ||||
| CVE-2025-52041 | 1 Frappe | 1 Erpnext | 2025-10-03 | 8.2 High |
| In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the inventory_dimensions_dict parameter. | ||||
| CVE-2025-52042 | 1 Frappe | 1 Erpnext | 2025-10-03 | 8.2 High |
| In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt parameter. | ||||
| CVE-2025-56380 | 1 Frappe | 2 Erpnext, Frappe | 2025-10-03 | 6.5 Medium |
| Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter | ||||
| CVE-2025-56381 | 2 Erpnext, Frappe | 3 Erpnext, Erpnext, Frappe | 2025-10-03 | 6.5 Medium |
| ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters. | ||||
| CVE-2025-52044 | 1 Frappe | 1 Erpnext | 2025-09-20 | 7.5 High |
| In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into inventory_dimensions_dict parameter. | ||||
| CVE-2025-52048 | 1 Frappe | 1 Frappe | 2025-09-20 | 6.5 Medium |
| In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the `dt` parameter. | ||||