CVE-2024-24813 - Vulnerability Details - OpenCVE

Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Frappe	Frappe

Configuration 1 [-]

cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh

History

Thu, 31 Jul 2025 20:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:frappe:frappe::::::::

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-20T18:11:34.165Z

Updated: 2024-08-05T19:24:50.323Z

Reserved: 2024-01-31T16:28:17.941Z

Link: CVE-2024-24813

Vulnrichment

Updated: 2024-08-01T23:28:12.814Z

NVD

Status : Analyzed

Published: 2024-03-21T02:52:11.770

Modified: 2025-07-31T20:16:59.737

Link: CVE-2024-24813

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24813", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-31T16:28:17.941Z", "datePublished": "2024-03-20T18:11:34.165Z", "dateUpdated": "2024-08-05T19:24:50.323Z"}, "containers": {"cna": {"title": "Frappe SQL Injection from reporting logic", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh"}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"version": "< 14.64.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-20T18:11:34.165Z"}, "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available."}], "source": {"advisory": "GHSA-fxfv-7gwx-54jh", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.814Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh"}]}, {"affected": [{"vendor": "frappe", "product": "frappe", "cpes": ["cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "14.64.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-05T18:29:09.001899Z", "id": "CVE-2024-24813", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T19:24:50.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh", "name": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.814Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24813", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-05T18:29:09.001899Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*"], "vendor": "frappe", "product": "frappe", "versions": [{"status": "affected", "version": "0", "lessThan": "14.64.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T19:24:37.568Z"}}], "cna": {"title": "Frappe SQL Injection from reporting logic", "source": {"advisory": "GHSA-fxfv-7gwx-54jh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"status": "affected", "version": "< 14.64.0"}]}], "references": [{"url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh", "name": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-20T18:11:34.165Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24813", "state": "PUBLISHED", "dateUpdated": "2024-08-05T19:24:50.323Z", "dateReserved": "2024-01-31T16:28:17.941Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-20T18:11:34.165Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "matchCriteriaId": "B63AB31A-29DA-4A7A-8789-F97C6A9712E2", "versionEndExcluding": "14.64.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available."}, {"lang": "es", "value": "Frappe es un framework de aplicaci\u00f3n web completo. Antes de las versiones 14.64.0 y 15.0.0, la inyecci\u00f3n SQL desde un m\u00e9todo particular incluido en la lista blanca puede dar como resultado el acceso a datos a los que el usuario no tiene permiso para acceder. Las versiones 14.64.0 y 15.0.0 contienen un parche para este problema. No hay workarounds disponibles."}], "id": "CVE-2024-24813", "lastModified": "2025-07-31T20:16:59.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-21T02:52:11.770", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}