Vulnerability Description
Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and 14.74.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Frappe | Frappe | < 14.74.0 |
Related Weaknesses (CWE)
References
- https://github.com/frappe/frappe/commit/65b3c42635038cdff17d3109be6c373bac004829Patch
- https://github.com/frappe/frappe/pull/26304Issue TrackingPatch
- https://github.com/frappe/frappe/security/advisories/GHSA-7g27-q225-j894Vendor Advisory
- https://github.com/frappe/frappe/commit/65b3c42635038cdff17d3109be6c373bac004829Patch
- https://github.com/frappe/frappe/pull/26304Issue TrackingPatch
- https://github.com/frappe/frappe/security/advisories/GHSA-7g27-q225-j894Vendor Advisory
FAQ
What is CVE-2024-34074?
CVE-2024-34074 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used ...
How severe is CVE-2024-34074?
CVE-2024-34074 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-34074?
Check the references section above for vendor advisories and patch information. Affected products include: Frappe Frappe.