Headline
CVE-2023-41328: Possibility limited SQL injection due to insufficient validation
Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0. Users are advised to upgrade. There’s no workaround to fix this without upgrading.
Moderate
ankush published GHSA-53wh-f67g-9679
Sep 6, 2023
Package
frappe
Affected versions
< 13.46.1
<14.20.0
Patched versions
13.46.1
14.20.0
Description
Impact
A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information.
Workarounds
There’s no workaround to fix this without upgrading
Severity
Moderate
4.2
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CVE ID
CVE-2023-41328
Weaknesses
CWE-89
Credits
- sagarvora Analyst
- ankush Remediation reviewer