CVE-2023-46127 MEDIUM

CVE-2023-46127: Frappe vulnerable to HTML injection by any Desk user

Vendor Frappe
Product frappe
Weakness CWE-79 · XSS
Published October 23, 2023
Last update September 11, 2024

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been patched in version 14.49.0.

Key dates

02Disclosure timeline

October 23, 2023 CVE published
September 11, 2024 Record updated