Primary

Context

Frappe Cross-Site Scripting Vulnerability in Data Import Feature

Vulnerability

Patched

A cross-site scripting (XSS) vulnerability has been identified in the Frappe web application framework, affecting versions prior to 14.94.2 and 15.57.0. The issue arises from the Data Import feature, where authenticated users could upload malicious files that were not properly sanitized, leading to XSS attacks. This vulnerability has been patched in versions 14.94.2 and 15.57.0.

Impact

Exploitation of this vulnerability allows for authenticated cross-site scripting, where an attacker could inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users are advised to upgrade to Frappe versions 14.94.2 or 15.57.0.

Added: Jun 30, 2025, 6:22 PM

Updated: Jun 30, 2025, 6:48 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.1

remediation

7.7

relevance

0.2

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.1

remediation

7.7

relevance

0.2

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Frappe Cross-Site Scripting Vulnerability in Data Import Feature

Vulnerability

Impact

Remediation

Affected Products

Frappe

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating