CVE-2024-27105

Published: Mar 21, 2024Modified: Jul 31, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available.

Affected (2)

Products: Frappe: Frappe

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Frappe Frappe	Before 14.66.3
Frappe Frappe	From 15.0.0 to 15.16.0

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw

Source: security-advisories@github.com

Vendor Advisory

https://github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.