Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor g

APPLICATION

CLOUD

30-06-2025 16:44

CVE-2025-52898 Vulnerabilidad documentada

8.7 HIGH

Tags

#exploit

#web

#reset

#config

#cloud

#application

#patched

#patch

#pass

#password

#malicious

#issue

#access

Descripción

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, carefully crafted request could lead malicious actor getting access user's password reset token. This can only be exploited on self hosted instances configured in certain way. Frappe Cloud users are safe. issue has been patched 15.58.0. Workarounds for this involve verifying URLs before clicking them or upgrading users.

https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2

https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66

https://github.com/frappe/frappe/pull/31522

https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j

Referencia

Link externo

Ver detalles

Fuente

https://nvd.nist.gov/vuln/detail/CVE-2025-52898

Resultados similares

Coincidentes en almenos en 50% de los tags

04-07-2025 CVE-2025-5351
A flaw was found in the key export functionality of libssh. The issue occurs in the internal fu...
Ver información

03-07-2025 CVE-2022-48279
In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly pars...
Ver información