CVE-2024-50356

NONE

Press - Info Disclosure

Title source: llm

Description

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). The password could be reset by anyone who have access to the mail inbox circumventing the 2FA. Even though they wouldn't be able to login by bypassing the 2FA. Only users who have enabled 2FA are affected. Commit ba0007c28ac814260f836849bc07d29beea7deb6 patches this bug.

References (2)

[Vendor Advisory] https://github.com/frappe/press/security/advisories/GHSA-g7mf-rm73-r7g9

[Patch] https://github.com/frappe/press/commit/ba0007c28ac814260f836849bc07d29beea7deb6

View Patch ZIP pw:eip

Scores

CVSS v3 0.0

EPSS 0.0003

EPSS Percentile 9.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-640

Status published

Products (1)

frappe/press < ba0007c28ac814260f836849bc07d29beea7deb6

Published Oct 31, 2024

Tracked Since Feb 18, 2026