Information Disclosure

Affecting frappe package, versions [11.0.0,11.1.64) || [12.0.0,12.1.0)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

frappe is a Low Code Open Source Framework in Python and JS.

Affected versions of this package are vulnerable to Information Disclosure. In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files.

Remediation

Upgrade frappe to version 11.1.64, 12.1.0 or higher.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:U
Credit
Unknown
CVE
CVE-2019-20529
CWE
CWE-200
Snyk ID
SNYK-PYTHON-FRAPPE-560764
Disclosed
18 Mar, 2020
Published
18 Mar, 2020