Frappe Security Bulletin

This security bulletin contains detailed information about vulnerabilities affecting Frappe.

Disclaimer

  • The following list of vulnerabilities and exploits have been patched in all currently supported versions of Frappe.
  • This list may be considered inexhaustive and is complete to our best knowledge.
    • If any of the fixed issues haven't been added to the list, please submit an issue or a pull request regarding the same.
    • If you find any vulnerability in the system that needs to be fixed, please report it to us.

Security Vulnerabilities

v11

  • CVE-2018-5713 - Search Field Sanitization.
    • Sanitize search fields to avoid SQL injection.
  • CVE-2018-5721 - Filter Field Sanitization.
    • Sanitize filter and or_filter fields to avoid SQL injection.
  • CVE-2018-5800 - Enhancement to CVE-2018-5713
    • Tighten criteria to prevent SQL injection in search fields.
  • CVE-2018-5785 - Prevent Brute Force on Login Page.
    • Disallow user to login and lock user account after a certain number of bad password attempts.
  • CVE-2018-4942 - Prevent direct access to Python files.
    • Disallow direct user access to Python files.

v10

  • CVE-2017-2784 - Prevent SQL injection.
    • Validate GROUP BY and ORDER BY clause in queries to prevent SQL injection.
  • CVE-2016-2481 - Fix User Permissions.
    • Disallow access shared files to users with no permissions.