Frappe Learning vulnerable to Malicious Content upload via Profile bio field

Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Frappe Learning 跨站脚本漏洞

Frappe Learning是Frappe开源的一个易于使用的开源学习管理系统。 Frappe Learning 2.34.1及之前版本存在跨站脚本漏洞，该漏洞源于未充分清理个人简介中的上传内容，可能导致恶意SVG文件在其他用户环境中执行任意脚本。

N/A

N/A