Skip to content

Possible HTML injection by any Desk user

Moderate
ankush published GHSA-j2w9-8xrr-7g98 Oct 21, 2023

Package

frappe (frappe)

Affected versions

<14.49.0

Patched versions

14.49.0

Description

Summary

A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection.

Workaround

No known workarounds exist, it's recommended to upgrade your Frappe version to latest version.

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2023-46127

Weaknesses

No CWEs

Credits