Lucene search

GitHub_MCVELIST:CVE-2024-24813

HistoryMar 20, 2024 - 6:11 p.m.

CVE-2024-24813 Frappe SQL Injection from reporting logic

2024-03-2018:11:34

CWE-89

GitHub_M

www.cve.org

frappe web application

sql injection

reporting logic

data access

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn’t have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available.

CNA Affected

[
  {
    "vendor": "frappe",
    "product": "frappe",
    "versions": [
      {
        "version": "< 14.64.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVELIST:CVE-2024-24813