Impact
A Stored Cross‑Site Scripting flaw allows untrusted users to inject malicious scripts into the Number Card component of Frappe Framework 17.0.0‑dev. The script is stored and later rendered in the browser when a user accesses a dashboard that contains a Number Card filter field. Attackers could steal session cookies, deface the site, or perform other client‑side attacks through this flaw, consistent with CWE‑79.
Affected Systems
The vulnerability affects Frappe Framework 17.0.0‑dev on Linux, macOS, and Windows platforms.
Risk and Exploitability
The CVSS score of 4.6 indicates a low severity, and no EPSS score is available, suggesting limited exploitation data. The flaw is not listed in the CISA KEV catalog. Likely exploitation requires legitimate access that permits the attacker to input data into the Number Card filter fields, after which any user who views that dashboard will execute the injected script.
OpenCVE Enrichment