Press
Monthly
Reflected cross-site scripting (XSS) in Frappe Press login page redirect parameter allows unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser upon clicking a malicious link, with user interaction required. The vulnerability affects all versions prior to the patch commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6, which restricts redirects to internal URLs only. CVSS score of 1.3 reflects very low confidentiality, integrity, and availability impact due to scope limitations, though XSS vulnerabilities carry inherent session hijacking and credential theft risks.
Frappe Press `create_api_secret` endpoint accepts GET requests despite performing database writes, enabling Cross-Site Request Forgery (CSRF)-like attacks where unauthenticated remote attackers can create API secrets by tricking authenticated users into visiting a malicious URL. No public exploit code or active exploitation has been confirmed at the time of analysis.
Reflected cross-site scripting (XSS) in Frappe Press login page redirect parameter allows unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser upon clicking a malicious link, with user interaction required. The vulnerability affects all versions prior to the patch commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6, which restricts redirects to internal URLs only. CVSS score of 1.3 reflects very low confidentiality, integrity, and availability impact due to scope limitations, though XSS vulnerabilities carry inherent session hijacking and credential theft risks.
Frappe Press `create_api_secret` endpoint accepts GET requests despite performing database writes, enabling Cross-Site Request Forgery (CSRF)-like attacks where unauthenticated remote attackers can create API secrets by tricking authenticated users into visiting a malicious URL. No public exploit code or active exploitation has been confirmed at the time of analysis.