CVE-2025-11461 - Vulnerability Details - OpenCVE

Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Frappe	Frappe Crm

No data.

No data.

References

Link	Providers
https://fluidattacks.com/advisories/oz
https://github.com/frappe/crm
https://github.com/frappe/crm/pull/1339

History

Wed, 26 Nov 2025 18:00:00 +0000

Type	Values Removed	Values Added
Description		Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.
Title		Frappe CRM 1.53.1 — Multiple SQL Injections in Dashboard Controller
First Time appeared		Frappe Frappe frappe Crm
Weaknesses		CWE-89
CPEs		cpe:2.3:a:frappe:frappe_crm:1.53.1::linux::::: cpe:2.3:a:frappe:frappe_crm:1.53.1::macos::::: cpe:2.3:a:frappe:frappe_crm:1.53.1::windows:::::
Vendors & Products		Frappe Frappe frappe Crm
References		https://fluidattacks.com/advisories/oz https://github.com/frappe/crm https://github.com/frappe/crm/pull/1339
Metrics		cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published: 2025-11-26T17:45:05.113Z

Updated: 2025-11-26T17:45:05.113Z

Reserved: 2025-10-07T19:00:42.063Z

Link: CVE-2025-11461

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-11-26T18:15:46.847

Modified: 2025-11-26T18:15:46.847

Link: CVE-2025-11461

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11461", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2025-10-07T19:00:42.063Z", "datePublished": "2025-11-26T17:45:05.113Z", "dateUpdated": "2025-11-26T17:45:05.113Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Linux", "Windows", "MacOS"], "product": "Frappe CRM", "vendor": "Frappe", "versions": [{"status": "affected", "version": "1.53.1"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe_crm:1.53.1:*:linux:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:frappe_crm:1.53.1:*:windows:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:frappe_crm:1.53.1:*:macos:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Cristian Vargas"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.<br><p>This issue affects Frappe CRM: 1.53.1.</p>"}], "value": "Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.\nThis issue affects Frappe CRM: 1.53.1."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2025-11-26T17:45:05.113Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/advisories/oz"}, {"tags": ["product"], "url": "https://github.com/frappe/crm"}, {"tags": ["patch"], "url": "https://github.com/frappe/crm/pull/1339"}], "source": {"discovery": "UNKNOWN"}, "title": "Frappe CRM 1.53.1 \u2014 Multiple SQL Injections in Dashboard Controller", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.\nThis issue affects Frappe CRM: 1.53.1."}], "id": "CVE-2025-11461", "lastModified": "2025-11-26T18:15:46.847", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-11-26T18:15:46.847", "references": [{"source": "[email protected]", "url": "https://fluidattacks.com/advisories/oz"}, {"source": "[email protected]", "url": "https://github.com/frappe/crm"}, {"source": "[email protected]", "url": "https://github.com/frappe/crm/pull/1339"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "[email protected]", "type": "Primary"}]}