Lucene search

[email protected]NVD:CVE-2022-41712

HistoryNov 25, 2022 - 6:15 p.m.

CVE-2022-41712

2022-11-2518:15:11

CWE-22

[email protected]

web.nvd.nist.gov

frappe

version 14.10.0

external attacker

remote obtain

arbitrary local files

information validation

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

37.4%

JSON

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter.

Affected configurations

Nvd

Node

frappefrappeMatch14.10.0

VendorProductVersionCPE
frappefrappe14.10.0cpe:2.3:a:frappe:frappe:14.10.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
frappe	frappe	14.10.0	cpe:2.3:a:frappe:frappe:14.10.0:::::::*

References

fluidattacks.com/advisories/kiniza/

github.com/frappe/frappe/

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

37.4%

JSON

Related for NVD:CVE-2022-41712

prion1 cve1 cvelist1 osv1