← voltar
CVE-2025-55006

Frappe Learning Holds Potential for Malicious SVG Upload in Image Upload Feature

CVSS 4.3 MEDIUMEPSS 0.2%CWE-20
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 4.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
09 ago 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other potentially malicious content. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. A fix for this issue is planned for version 2.34.0.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
Produtos afetados
frappe · lms

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr