Frappe Framework Stored Cross-Site Scripting Vulnerability in Multiple Field Formatters

A stored cross-site scripting vulnerability has been identified in Frappe Framework version 16.10.0. This issue allows authenticated attackers to inject malicious scripts into various field types, which are executed on the client side when the document is opened by another user. The vulnerability arises because the affected formatter implementations do not properly escape interpolated values before inserting them into raw HTML, leaving room for script execution.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the document.

Reproduction

To reproduce this vulnerability, log into Desk as an authenticated user and open a document with a Color or Icon field. Intercept the save request and replace the field value with a crafted input that includes a script payload, such as an `onmousemove` or `onmouseover` event. After forwarding the request to store the tampered value, the injected script can be executed by hovering over the affected field when the document is opened.