Lucene search

GoogleOSV:CVE-2023-46127

HistoryOct 23, 2023 - 3:15 p.m.

CVE-2023-46127

2023-10-2315:15:09

Google

osv.dev

frappe

web application

python

mariadb

html injection

vulnerability

patched

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

24.5%

JSON

Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been patched in version 14.49.0.

References

github.com/frappe/frappe/commit/3dc5d2fcc7561dde181ba953009fe6e39d64e900

github.com/frappe/frappe/pull/22339

github.com/frappe/frappe/security/advisories/GHSA-j2w9-8xrr-7g98