Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
Active
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
Low
Integrity (Subsequent System)
Low
Availability (Subsequent System)
None
Affected products
- frappe / Frappe Framework17.0.0-dev – 17.0.0-dev
References
- VENDOR_ADVISORYhttps://fluidattacks.com/es/advisories/soja
- MISChttps://github.com/frappe/frappe