CVE-2024-24813 - Vulnerability Details - OpenCVE

Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00388.

Key SSVC decision points have not yet been added.

Vendors	Products
Frappe	Frappe

Configuration 1 [-]

cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Frappe	Frappe

Advisories

Source	ID	Title
EUVD	EUVD-2024-22185	Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh

History

Thu, 31 Jul 2025 20:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:frappe:frappe::::::::

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-20T18:11:34.165Z

Updated: 2024-08-05T19:24:50.323Z

Reserved: 2024-01-31T16:28:17.941Z

Link: CVE-2024-24813

Vulnrichment

Updated: 2024-08-01T23:28:12.814Z

NVD

Status : Analyzed

Published: 2024-03-21T02:52:11.770

Modified: 2025-07-31T20:16:59.737

Link: CVE-2024-24813

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-07-12T22:16:17Z

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24813", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-31T16:28:17.941Z", "datePublished": "2024-03-20T18:11:34.165Z", "dateUpdated": "2024-08-05T19:24:50.323Z"}, "containers": {"cna": {"title": "Frappe SQL Injection from reporting logic", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh"}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"version": "< 14.64.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-20T18:11:34.165Z"}, "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available."}], "source": {"advisory": "GHSA-fxfv-7gwx-54jh", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.814Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh"}]}, {"affected": [{"vendor": "frappe", "product": "frappe", "cpes": ["cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "14.64.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-05T18:29:09.001899Z", "id": "CVE-2024-24813", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T19:24:50.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh", "name": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.814Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24813", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-05T18:29:09.001899Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*"], "vendor": "frappe", "product": "frappe", "versions": [{"status": "affected", "version": "0", "lessThan": "14.64.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T19:24:37.568Z"}}], "cna": {"title": "Frappe SQL Injection from reporting logic", "source": {"advisory": "GHSA-fxfv-7gwx-54jh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"status": "affected", "version": "< 14.64.0"}]}], "references": [{"url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh", "name": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-20T18:11:34.165Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24813", "state": "PUBLISHED", "dateUpdated": "2024-08-05T19:24:50.323Z", "dateReserved": "2024-01-31T16:28:17.941Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-20T18:11:34.165Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "matchCriteriaId": "B63AB31A-29DA-4A7A-8789-F97C6A9712E2", "versionEndExcluding": "14.64.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available."}, {"lang": "es", "value": "Frappe es un framework de aplicaci\u00f3n web completo. Antes de las versiones 14.64.0 y 15.0.0, la inyecci\u00f3n SQL desde un m\u00e9todo particular incluido en la lista blanca puede dar como resultado el acceso a datos a los que el usuario no tiene permiso para acceder. Las versiones 14.64.0 y 15.0.0 contienen un parche para este problema. No hay workarounds disponibles."}], "id": "CVE-2024-24813", "lastModified": "2025-07-31T20:16:59.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-21T02:52:11.770", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-fxfv-7gwx-54jh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}