Frappe Learning Holds Potential for Malicious SVG Upload in Image...

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

Description

Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other potentially malicious content. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. A fix for this issue is planned for version 2.34.0.

Basic Information

ID CVE-2025-55006

Source GitHub_M

Published Aug 9, 2025 at 02:01

Affected Product

Vendor frappe

Product lms

Version <= 2.33.0

Affected Versions frappe lms <= 2.33.0

CWE Classification

CWE-20

References

github.com /frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr

{
    "lastseen": "",
    "description": "Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other potentially malicious content. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. A fix for this issue is planned for version 2.34.0.",
    "published": "2025-08-09T02:01:57.136Z",
    "modified": "2025-08-09T02:01:57.136Z",
    "type": "cve",
    "title": "Frappe Learning Holds Potential for Malicious SVG Upload in Image Upload Feature",
    "source": "GitHub_M",
    "references": "https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr",
    "id": "CVE-2025-55006",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "frappe lms <= 2.33.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "lms",
    "version": "<= 2.33.0",
    "vendor": "frappe",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Frappe Learning Holds Potential for Malicious SVG Upload in Image Upload Feature_CVE-2025-55006