CVE-2023-41328

Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0. Users are advised to upgrade. There's no workaround to fix this without upgrading.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.2 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
GitHub_MCNA
4.2 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
VendorProductVersion
frappefrappe
𝑥
< 13.46.1
frappefrappe
14.0.0 ≤
𝑥
< 14.20.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/frappe/frappe/releases/tag/v13.46.1
https://github.com/frappe/frappe/releases/tag/v14.20.0
https://github.com/frappe/frappe/security/advisories/GHSA-53wh-f67g-9679
https://github.com/frappe/frappe/releases/tag/v13.46.1
https://github.com/frappe/frappe/releases/tag/v14.20.0
https://github.com/frappe/frappe/security/advisories/GHSA-53wh-f67g-9679