Description
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Prior to commit 5d118a902872d7941f099ad1fb918e2421e79ccd, a user could inject HTML through SaaS signup inputs. The user who injected the unsafe HTML code would only affect themselves and would not affect other users. Commit 5d118a902872d7941f099ad1fb918e2421e79ccd patches this bug.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/frappe/press/security/advisories/GHSA-rf69-h96f-rf2j
Patch x_refsource_misc
https://github.com/frappe/press/commit/5d118a902872d7941f099ad1fb918e2421e79ccd
Scores
CVSS v4
1.2
EPSS
0.0020
EPSS Percentile
42.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
frappe/press
< 5d118a902872d7941f099ad1fb918e2421e79ccd
Published
Oct 23, 2024
Tracked Since
Feb 18, 2026