Frappe up to 14.73.0/15.25.0 Login Page redirect

Summaryinfo

A vulnerability was found in Frappe up to 14.73.0/15.25.0. It has been classified as problematic. Affected by this vulnerability is an unknown functionality of the component Login Page. The manipulation of the argument redirect leads to redirect. This vulnerability is documented as CVE-2024-34074. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in Frappe up to 14.73.0/15.25.0. It has been rated as problematic. This issue affects an unknown code block of the component Login Page. The manipulation of the argument redirect with an unknown input leads to a redirect vulnerability. Using CWE to declare the problem leads to CWE-601. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. Impacted is integrity. The summary by CVE is:

Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and 14.74.0.

The advisory is shared at github.com. The identification of this vulnerability is CVE-2024-34074 since 04/30/2024. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1204.001 for this issue.

Upgrading to version 14.74.0 or 15.26.0 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Name

• Frappe

Version

• 14.0
• 14.1
• 14.2
• 14.3
• 14.4
• 14.5
• 14.6
• 14.7
• 14.8
• 14.9
• 14.10
• 14.11
• 14.12
• 14.13
• 14.14
• 14.15
• 14.16
• 14.17
• 14.18
• 14.19
• 14.20
• 14.21
• 14.22
• 14.23
• 14.24
• 14.25
• 14.26
• 14.27
• 14.28
• 14.29
• 14.30
• 14.31
• 14.32
• 14.33
• 14.34
• 14.35
• 14.36
• 14.37
• 14.38
• 14.39
• 14.40
• 14.41
• 14.42
• 14.43
• 14.44
• 14.45
• 14.46
• 14.47
• 14.48
• 14.49
• 14.50
• 14.51
• 14.52
• 14.53
• 14.54
• 14.55
• 14.56
• 14.57
• 14.58
• 14.59
• 14.60
• 14.61
• 14.62
• 14.63
• 14.64
• 14.65
• 14.66
• 14.67
• 14.68
• 14.69
• 14.70
• 14.71
• 14.72
• 14.73.0
• 15.0
• 15.1
• 15.2
• 15.3
• 15.4
• 15.5
• 15.6
• 15.7
• 15.8
• 15.9
• 15.10
• 15.11
• 15.12
• 15.13
• 15.14
• 15.15
• 15.16
• 15.17
• 15.18
• 15.19
• 15.20
• 15.21
• 15.22
• 15.23
• 15.24
• 15.25.0

Website

• Product: https://github.com/frappe/frappe/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion