File Upload XSS

POC steps are the following
[+] chose web siite and signup .
[+] go to update profile :
[+] chose your Ev!l & upload it & go to :/files/yours

Added github issue at File Upload XSS · Issue #5768 · frappe/frappe · GitHub


Thanks for notifying

Please report security issues at


Yeah, I just stumbled across the post - the disclosure wasn’t made by me. Since it was already public, I figured the best place to get visibility was the forum and an issue.

One idea is to add a security.MD file to help promote responsible disclosures. Electron has a good example: electron/ at main · electron/electron · GitHub

The foundation could also look at applying for a free HackerOne license to help coordinate disclosures:

Not Found :slight_smile:

Perhaps this can be added in the ReadMe as well.

I looked in the repos,, and Looks like it was on (though I’m not sure how to actually reach that page through the navigation without a direct link).

I’m just stating the experience I went through trying to find the security disclosure contact information for the project. I don’t know what others think. You can make the call as to where to place the information.

1 Like