Sensitive Date Exposure using frappe.bootinfo

Install / Update Security
1

Frappe version: 11 and 12
Issue:

  • Sensitive data exposure because of bootinfo and being displayed in “View Source Page”
  • Low privilege users can view information such as all user emails and info, system defaults, the app used and its version, All Doctypes, permissions, etc.

To Duplicate:

  1. Log in as low privilege user
  2. Right-click the page then select “View Page Source”, alternatively press “ctrl + U”).
  3. Source code of the site will be displayed.
  4. Examining the content displays sensitive information that can be used by threat actors.

Frappe Framework and ERPNext versions are displayed which can be utilized to search for vulnerabilities that are available online.

Is there a way that we can hide this infos?

1 Like
2

did you ever get resolution to this?

1 Like
3

It seems like this should at least be in a separate script, and ideally minified or obfuscated in some way. When you do view source, users can see all the other email addresses and names of all other users (PII data).