CVE Daily

CVE-2024-24813

Frappe is a full-stack web application framework. Prior to versions 14.64.0 and ...

High CVSS 7.5

Overview

Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available.

CWE: CWE-89 Published: 2024-03-21T02:52:11.770
Risk analysis

This vulnerability is rated 🟠 HIGH.

  • CVSS: 7.5 (HIGH)
  • Detected tags: sql (tag impact: MODERATE)

Recommended actions:

  • Use parameterized queries/ORM (avoid string concatenation).
  • Add WAF rules and input validation.

Recommended tools

Tags