Frappe fixes vulnerability in login page redirect

CVE-2024-34074

6.1MEDIUM

Key Information

Vendor: Frappe
Status: Frappe
Vendor: CVE Published:; 14 May 2024

Summary

Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and 14.74.0.

Affected Version(s)

frappe <= 15.0.0, 15.25.0

frappe <= 14.73.0

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published.
May 14, 2024
Vulnerability Reserved.
Apr 30, 2024

Collectors

NVD DatabaseMitre Database