CVE-2024-24812 MEDIUM

CVE-2024-24812: Frappe Authenticated Reflected Cross site scripting (XSS) in portal pages

Vendor Frappe
Product frappe
Weakness CWE-79 · XSS
Published February 7, 2024
Last update August 1, 2024

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting (XSS) which can be used to inject malicious JS code if user clicks on a malicious link. This vulnerability has been patched in versions 14.59.0 and 15.5.0. No known workarounds are available.

Key dates

02Disclosure timeline

February 7, 2024 CVE published
August 1, 2024 Record updated