Frappe Security Bulletin
This security bulletin contains detailed information about vulnerabilities affecting Frappe.
- The following list of vulnerabilities and exploits have been patched in all currently supported versions of Frappe.
- This list may be considered inexhaustive and is complete to our best knowledge.
- If any of the fixed issues haven't been added to the list, please submit an issue or a pull request regarding the same.
- If you find any vulnerability in the system that needs to be fixed, please report it to us.
- CVE-2018-5713 - Search Field Sanitization.
- Sanitize search fields to avoid SQL injection.
- CVE-2018-5721 - Filter Field Sanitization.
or_filterfields to avoid SQL injection.
- CVE-2018-5800 - Enhancement to CVE-2018-5713
- Tighten criteria to prevent SQL injection in search fields.
- CVE-2018-5785 - Prevent Brute Force on Login Page.
- Disallow user to login and lock user account after a certain number of bad password attempts.
- CVE-2018-4942 - Prevent direct access to Python files.
- Disallow direct user access to Python files.
- CVE-2017-2784 - Prevent SQL injection.
ORDER BYclause in queries to prevent SQL injection.
- CVE-2016-2481 - Fix User Permissions.
- Disallow access shared files to users with no permissions.