SQL Injection Vulnerability Affects Frappe Users
CVE-2024-24813

7.5HIGH

Key Information:

Vendor: Frappe
Status: Frappe
Vendor: CVE Published:; 21 March 2024

What is CVE-2024-24813?

Frappe Framework, a comprehensive web application framework, has identified a vulnerability that permits SQL injection through a specific whitelisted method. This flaw allows attackers to access data beyond their permissions, leading to potential unauthorized information exposure. Users of versions prior to 14.64.0 and 15.0.0 are particularly affected, as these versions lack the necessary security measures to mitigate the risk. It's essential for users to upgrade to patched versions to safeguard against this vulnerability, as no alternative workarounds are available.

Affected Version(s)

frappe < 14.64.0

References

https://github.com/frappe/frappe/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 21, 2024
Vulnerability Reserved
Jan 31, 2024

JSON