CVE-2024-49751

Oct. 25, 2024, 12:56 p.m.

None
No Score

Description

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Prior to commit 5d118a902872d7941f099ad1fb918e2421e79ccd, a user could inject HTML through SaaS signup inputs. The user who injected the unsafe HTML code would only affect themselves and would not affect other users. Commit 5d118a902872d7941f099ad1fb918e2421e79ccd patches this bug.

Product(s) Impacted

Product Versions
Frappe
  • before commit 5d118a902872d7941f099ad1fb918e2421e79ccd

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/frappe/press/commit/5d118a902872d7941f099ad1fb918e2421e79ccd
https://github.com/frappe/press/security/advisories/GHSA-rf69-h96f-rf2j

Tags

security-advisories@github.com
CWE-79
2024-10-23
CVE-2024-49751

Timeline

Published: Oct. 23, 2024, 4:15 p.m.
Last Modified: Oct. 25, 2024, 12:56 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.