CVE-2024-50356

NONE

Press - Info Disclosure

Title source: llm

Description

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). The password could be reset by anyone who have access to the mail inbox circumventing the 2FA. Even though they wouldn't be able to login by bypassing the 2FA. Only users who have enabled 2FA are affected. Commit ba0007c28ac814260f836849bc07d29beea7deb6 patches this bug.

References (2)

[Patch] https://github.com/frappe/press/commit/ba0007c28ac814260f836849bc07d29beea7deb6

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/frappe/press/security/advisories/GHSA-g7mf-rm73-r7g9

Scores

EPSS 0.0003

EPSS Percentile 9.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Classification

CWE

CWE-640

Status draft

Timeline

Published Oct 31, 2024

Tracked Since Feb 18, 2026