CNNVD-202512-398 Information
CNNVD ID
CNNVD-202512-398
Related CVE
- CNNVD Published: 2025-12-03
Description (Chinese)
Frappe Technologies Frappe Framework是印度Frappe Technologies公司的一款基于Python和JavaScript的元数据驱动的全栈Web应用程序框架。ERPNext是印度ERPNext公司的一套开源的企业资源计划解决方案。 ERPNext v15.83.2版本和Frappe Technologies Frappe Framework v15.86.0版本存在安全漏洞,该漏洞源于上传的SVG头像图像验证不当,可能导致存储型跨站脚本。
Description (English)
The Frappe Technologies Framework is a fully-fledged Web application framework based on metadata driven by Python and JavaScript in the Indian company Frappe Technologies. ERPNext is an open-source enterprise resource plan solution for ERPNext in India. There is a security loophole in versions ERPNext v. 15.83.2 and Frappe Technologies Frappe Framework v.15.86.0, which stems from the inappropriate authentication of uploaded SVG images, which may result in storage-type overstation scripts.
Hazard Level
Low
Vulnerability Type
其他
Published
2025-12-03
Last Modified
2026-02-24
References
https://github.com/PhDg1410/CVE/tree/main/CVE-2025-65267 https://github.com/frappe/erpnext https://github.com/frappe/frappe https://access.redhat.com/security/cve/cve-2025-65267
Patch
https://github.com/frappe/frappe/releases
Share on: