CVE-2025-55006
BaseFortify
Publication date: 2025-08-09
Last updated on: 2025-10-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | learning | From 2.0.0 (inc) to 2.34.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Frappe Learning versions 2.33.0 and below involves inadequate sanitization of uploaded SVG files. Users could upload SVG files containing embedded JavaScript or other malicious content, which could then execute arbitrary scripts in the context of other users.
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute arbitrary scripts within the context of other users, potentially leading to unauthorized actions, data theft, or compromise of user accounts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid uploading SVG files until you can upgrade to Frappe Learning version 2.34.0 or later, where the issue is fixed. Additionally, restrict or disable SVG uploads if possible, and educate users about the risks of uploading SVG files containing embedded scripts.