← Zuruck zu CVEs

CVE-2025-52898

HIGH

8.8

Beschreibung

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users.

CVE Details

CVSS v3.1 Bewertung8.8

SchweregradHIGH

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionREQUIRED

Veroffentlicht6/30/2025

Zuletzt geandert7/8/2025

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

frappe:frappe

Schwachen (CWE)

CWE-200

Referenzen

https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2(security-advisories@github.com)

https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66(security-advisories@github.com)

https://github.com/frappe/frappe/pull/31522(security-advisories@github.com)

https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j(security-advisories@github.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.