CVE-2025-30214

Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There's no workaround to fix this without upgrading.

CVSS

No CVSS.

References

Link	Resource
https://github.com/frappe/frappe/security/advisories/GHSA-qrv3-jc3h-f3m6

Configurations

No configuration.

History

27 Mar 2025, 16:45

Type	Values Removed	Values Added
Summary		(es) Frappe es un framework de aplicaciones web integral. En versiones anteriores a la 14.89.0 y la 15.51.0, realizar solicitudes manipuladas podía provocar la divulgación de información, lo que a su vez podía llevar al robo de cuentas. Las versiones 14.89.0 y 15.51.0 solucionan este problema. No existe un workaround sin actualizar.

25 Mar 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-25 15:15

Updated : 2025-03-27 16:45

NVD link : CVE-2025-30214

Mitre link : CVE-2025-30214

CVE.ORG link : CVE-2025-30214

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-287

Improper Authentication

{"id": "CVE-2025-30214", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-25T15:15:26.460", "references": [{"url": "https://github.com/frappe/frappe/security/advisories/GHSA-qrv3-jc3h-f3m6", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There's no workaround to fix this without upgrading."}, {"lang": "es", "value": "Frappe es un framework de aplicaciones web integral. En versiones anteriores a la 14.89.0 y la 15.51.0, realizar solicitudes manipuladas pod\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n, lo que a su vez pod\u00eda llevar al robo de cuentas. Las versiones 14.89.0 y 15.51.0 solucionan este problema. No existe un workaround sin actualizar."}], "lastModified": "2025-03-27T16:45:46.410", "sourceIdentifier": "security-advisories@github.com"}