Frappe 14.10.0 - Local File Read
|Name||Frappe 14.10.0 - LFR|
|Affected versions||Version 14.10.0|
|Kind||Lack of data validation - Path Traversal|
|Rule||063. Lack of data validation - Path Traversal|
|CVSSv3 Base Score||4.3|
Frappe version 14.10.0 allows an external attacker to remotely obtain
arbitrary local files. This is possible because the application does
not correctly validate the information injected by the user in the
This vulnerability occurs because the application does not correctly
validate the path of the
import_file parameter. Thanks to this, an
attacker can point to internal server files.
Evidence of exploitation
Our security policy
We have reserved the CVE-2022-41712 to refer to this issue from now on.
Version: Frappe 14.10.0
Operating System: GNU/Linux
An updated version of Badaso is available at the vendor page.
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
Vendor page https://github.com/frappe/frappe
Release page https://github.com/frappe/frappe/releases/tag/v14.12.0
Vendor replied acknowledging the report.
Vendor Confirmed the vulnerability.