Skip to main content

Learning CVE-2023-42807

CRITICAL
SQL Injection (CWE-89)
2023-09-21 security-advisories@github.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 21, 2023 - 17:15 nvd
CRITICAL 9.8

DescriptionNVD

Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the main branch. Users won't face this issue if they are using the latest main branch of the app.

AnalysisAI

Frappe LMS is an open source learning management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the main branch. Users won't face this issue if they are using the latest main branch of the app. Affected products include: Frappe Learning.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2023-5555 MEDIUM POC
6.1 Oct 12

Cross-site Scripting (XSS) - Generic in GitHub repository frappe/lms prior to 5614a6203fb7d438be8e2b1e3030e4528d170ec4.

CVE-2025-11280 LOW POC
2.9 Oct 05

Information disclosure vulnerability in Frappe LMS 2.35.0 allows remote unauthenticated attackers to access sensitive as

CVE-2025-66581 MEDIUM
6.5 Dec 05

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0,

CVE-2025-11283 LOW POC
1.9 Oct 05

Cross-site scripting (XSS) in Frappe LMS 2.35.0 Course Handler allows authenticated users with high privileges to inject

CVE-2026-23497 MEDIUM
5.4 Jan 14

Frappe Learning Management System versions 2.44.0 and earlier contain a stored cross-site scripting (XSS) vulnerability

CVE-2025-11281 LOW POC
1.3 Oct 05

Frappe LMS 2.35.0 contains improper access controls in the Unpublished Course Handler component at the /courses/ endpoin

CVE-2026-26031 MEDIUM
5.3 Feb 11

Frappe Learning Management System versions prior to 2.44.0 contain an information disclosure vulnerability that allows u

CVE-2026-26977 MEDIUM
5.3 Feb 20

Frappe Learning Management System versions 2.44.0 and below allow unauthenticated attackers to retrieve sensitive detail

CVE-2025-59415 MEDIUM
4.6 Sep 17

Frappe Learning is a learning system that helps users structure their content. Rated medium severity (CVSS 4.6), this vu

CVE-2025-64707 LOW
1.2 Nov 12

Frappe Learning is a learning system that helps users structure their content. Rated low severity (CVSS 1.2), this vulne

CVE-2025-64705 LOW
1.3 Nov 12

Frappe Learning is a learning system that helps users structure their content. Rated low severity (CVSS 1.3), this vulne

CVE-2025-55006 MEDIUM
4.3 Aug 09

Frappe Learning is a learning system that helps users structure their content. Rated medium severity (CVSS 4.3), this vu

Share

CVE-2023-42807 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy