CVE-2025-67730

Frappe authenticated users can execute XSS through form description fields

CVSS 5.1 MEDIUMEPSS 0.1%CWE-79

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 5.1EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

12 dez 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Produtos afetados

frappe · lms

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/frappe/lms/commit/0877e32e1bfe64831b875707241de1c449cda45c https://github.com/frappe/lms/security/advisories/GHSA-jjc4-j3hw-33h2