Teppay

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available.

**Name of the Vulnerable Software and Affected Versions** Plane versions prior to 1.2.2 **Description** A Server-Side Request Forgery (SSRF) flaw exists in the "Add Link" feature of Plane, allowing an authenticated attacker with general user privileges to send arbitrary GET requests to the internal network and retrieve the full response body. This can lead to the theft of sensitive data from internal services and cloud metadata endpoints. **Recommendations** Update to version 1.2.2 or later.