Publishing security advisories using Github Security Advisory

ankush · March 20, 2024, 7:47am

Hello Community members,

Few months ago we started publishing security advisories using GitHub Security Advisories (GHSA). GHSA let’s us publish disclosures, assign CVEs and safely collaborate with reporters.

You can access them here: Security Advisories · frappe/frappe · GitHub

Note:

There was one recent critical vulnerability disclosure hence sharing it here. It’s highly recommended to keep your site up to date.
We will integrate these reports with Frappe Cloud too, so you can get alerts from single place.

fkardame · March 21, 2024, 8:50am

Hello Ankush,

Thank you for this disclosure.

SQL Injection from reporting logic

If this is affecting V12,13 then how can it be solved without upgrading to V14 ?

Any plan to back port the patch ?

ankush · March 21, 2024, 1:33pm

Your link seems to be broken. Here’s correct one: SQL Injection from reporting logic · Advisory · frappe/frappe · GitHub

There are no plans to backport to v13, v12. V12 has been EOL since long time