Frappe version: 11 and 12
- Sensitive data exposure because of bootinfo and being displayed in “View Source Page”
- Low privilege users can view information such as all user emails and info, system defaults, the app used and its version, All Doctypes, permissions, etc.
- Log in as low privilege user
- Right-click the page then select “View Page Source”, alternatively press “ctrl + U”).
- Source code of the site will be displayed.
- Examining the content displays sensitive information that can be used by threat actors.
Frappe Framework and ERPNext versions are displayed which can be utilized to search for vulnerabilities that are available online.
Is there a way that we can hide this infos?