CVE-2024-49751 LOW

CVE-2024-49751: Frappe Press possible HTML injection through SaaS Signup inputs

Vendor Frappe

Product press

Weakness CWE-79 · XSS

Published October 23, 2024

Last update October 23, 2024

View on NVD All CVEs

CVSS base score

1.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U

What the vulnerability does

01Description

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Prior to commit 5d118a902872d7941f099ad1fb918e2421e79ccd, a user could inject HTML through SaaS signup inputs. The user who injected the unsafe HTML code would only affect themselves and would not affect other users. Commit 5d118a902872d7941f099ad1fb918e2421e79ccd patches this bug.

Key dates

02Disclosure timeline

October 23, 2024 CVE published

October 23, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-49751 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2024-49751: Frappe Press possible HTML injection through SaaS Signup inputs

01Description

02Disclosure timeline

03References

04Related CVE