Open redirect on login page

Moderate

ankush published GHSA-7g27-q225-j894

May 9, 2024

Package

frappe (frappe)

Affected versions

<=15.25.0

<=14.73.0

Patched versions

15.26.0

14.74.0

Description

Impact

Login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing.

Workarounds

There's no workaround for this, upgrading the site is recommended.

Severity

Moderate

6.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N