Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Frappe Subscribe

CVSS v3 Filter

ALL
NONE (0.0) LOW (0.1 - 3.9) MEDIUM (4.0 - 6.9) HIGH (7.0 - 8.9) CRITICAL (9.0 - 10.0)

Search

Total 17 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-23055 1 Frappe 1 Erpnext 2022-07-05 5.5 MEDIUM 5.4 MEDIUM
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.
CVE-2022-23058 1 Frappe 1 Erpnext 2022-07-05 3.5 LOW 5.4 MEDIUM
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
CVE-2022-23057 1 Frappe 1 Erpnext 2022-07-05 3.5 LOW 5.4 MEDIUM
In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.
CVE-2022-23056 1 Frappe 1 Erpnext 2022-07-01 3.5 LOW 5.4 MEDIUM
In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.
CVE-2020-35175 1 Frappe 1 Frappe 2021-07-21 5.0 MEDIUM 5.3 MEDIUM
Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API.
CVE-2019-20511 1 Frappe 1 Erpnext 2020-08-24 4.3 MEDIUM 6.1 MEDIUM
ERPNext 11.1.47 allows blog?blog_category= Frame Injection.
CVE-2019-20521 1 Frappe 1 Erpnext 2020-03-19 4.3 MEDIUM 6.1 MEDIUM
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.
CVE-2019-20518 1 Frappe 1 Erpnext 2020-03-19 4.3 MEDIUM 6.1 MEDIUM
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.
CVE-2019-20515 1 Frappe 1 Erpnext 2020-03-19 4.3 MEDIUM 6.1 MEDIUM
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI.
CVE-2019-20516 1 Frappe 1 Erpnext 2020-03-19 4.3 MEDIUM 6.1 MEDIUM
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI.
CVE-2019-20517 1 Frappe 1 Erpnext 2020-03-19 4.3 MEDIUM 6.1 MEDIUM
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.
CVE-2019-20519 1 Frappe 1 Erpnext 2020-03-19 4.3 MEDIUM 6.1 MEDIUM
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.
CVE-2019-20520 1 Frappe 1 Erpnext 2020-03-19 4.3 MEDIUM 6.1 MEDIUM
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.
CVE-2019-20514 1 Frappe 1 Erpnext 2020-03-19 4.3 MEDIUM 6.1 MEDIUM
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.
CVE-2019-15700 1 Frappe 1 Frappe 2019-09-04 4.3 MEDIUM 6.1 MEDIUM
public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted "changed value of" text.
CVE-2019-14967 1 Frappe 1 Frappe 2019-08-15 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability.
CVE-2018-11339 1 Frappe 1 Erpnext 2018-06-26 4.3 MEDIUM 6.1 MEDIUM
An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.