CVE-2024-34074: Frappe vuilnerable to an open redirect on login page
First published: Thu May 09 2024(Updated: )
Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and 14.74.0.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Frappe LMS | <15.26.0<14.74.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-34074?
CVE-2024-34074 is considered a high severity vulnerability due to its potential for phishing attacks.
How do I fix CVE-2024-34074?
To fix CVE-2024-34074, update to Frappe version 15.26.0 or 14.74.0 or later.
What types of software are affected by CVE-2024-34074?
CVE-2024-34074 affects Frappe versions prior to 15.26.0 and 14.74.0.
What is the main risk associated with CVE-2024-34074?
The main risk associated with CVE-2024-34074 is the potential for malicious actors to conduct phishing attacks through untrusted redirects.
Is CVE-2024-34074 a zero-day vulnerability?
CVE-2024-34074 is not a zero-day vulnerability as it has been publicly disclosed and fixed by the vendor.
- agent/title
- agent/references
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/severity
- agent/author
- agent/event
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/frappe
- canonical/frappe lms