CVE-2025-59415 - Vulnerability Details - OpenCVE

Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Frappe	Frappe Frappe Lms

No data.

No data.

References

Link	Providers
https://github.com/frappe/lms/commit/ed162e254690772365d4d1365f176b59bc4db72d
https://github.com/frappe/lms/security/advisories/GHSA-h7gh-3vq5-96jx

History

Thu, 18 Sep 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 18 Sep 2025 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Frappe Frappe frappe Frappe frappe Lms
Vendors & Products		Frappe Frappe frappe Frappe frappe Lms

Wed, 17 Sep 2025 21:15:00 +0000

Type	Values Removed	Values Added
Description		Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users.
Title		Frappe Learning vulnerable to Malicious Content upload via Profile bio field
Weaknesses		CWE-79
References		https://github.com/frappe/lms/commit/ed162e254690772365d4d1365f176b59bc4db72d https://github.com/frappe/lms/security/advisories/GHSA-h7gh-3vq5-96jx
Metrics		cvssV3_1 `{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-09-17T21:07:58.471Z

Updated: 2025-09-18T13:58:43.346Z

Reserved: 2025-09-15T19:13:16.903Z

Link: CVE-2025-59415

Vulnrichment

Updated: 2025-09-18T13:58:40.639Z

NVD

Status : Awaiting Analysis

Published: 2025-09-17T21:15:38.357

Modified: 2025-09-18T13:43:34.310

Link: CVE-2025-59415

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-59415", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-09-15T19:13:16.903Z", "datePublished": "2025-09-17T21:07:58.471Z", "dateUpdated": "2025-09-18T13:58:43.346Z"}, "containers": {"cna": {"title": "Frappe Learning vulnerable to Malicious Content upload via Profile bio field", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/frappe/lms/security/advisories/GHSA-h7gh-3vq5-96jx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/lms/security/advisories/GHSA-h7gh-3vq5-96jx"}, {"name": "https://github.com/frappe/lms/commit/ed162e254690772365d4d1365f176b59bc4db72d", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/lms/commit/ed162e254690772365d4d1365f176b59bc4db72d"}], "affected": [{"vendor": "frappe", "product": "lms", "versions": [{"version": "<= 2.34.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-09-17T21:07:58.471Z"}, "descriptions": [{"lang": "en", "value": "Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users."}], "source": {"advisory": "GHSA-h7gh-3vq5-96jx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-18T13:58:38.663050Z", "id": "CVE-2025-59415", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-18T13:58:43.346Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Frappe Learning vulnerable to Malicious Content upload via Profile bio field", "source": {"advisory": "GHSA-h7gh-3vq5-96jx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "frappe", "product": "lms", "versions": [{"status": "affected", "version": "<= 2.34.1"}]}], "references": [{"url": "https://github.com/frappe/lms/security/advisories/GHSA-h7gh-3vq5-96jx", "name": "https://github.com/frappe/lms/security/advisories/GHSA-h7gh-3vq5-96jx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/frappe/lms/commit/ed162e254690772365d4d1365f176b59bc4db72d", "name": "https://github.com/frappe/lms/commit/ed162e254690772365d4d1365f176b59bc4db72d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-09-17T21:07:58.471Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-59415", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-18T13:58:38.663050Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-09-18T13:58:40.639Z"}}]}, "cveMetadata": {"cveId": "CVE-2025-59415", "state": "PUBLISHED", "dateUpdated": "2025-09-17T21:07:58.471Z", "dateReserved": "2025-09-15T19:13:16.903Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-09-17T21:07:58.471Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}