CVE-2022-41712

MEDIUM

Frappe 14.10.0 - Path Traversal via Import File Parameter

Title source: llm

Description

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://fluidattacks.com/advisories/kiniza/

Product

https://github.com/frappe/frappe/

Scores

CVSS v3 6.5

EPSS 0.0089

EPSS Percentile 55.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

frappe/frappe 14.10.0

Published Nov 25, 2022

Tracked Since Feb 18, 2026