CVE-2019-20529

Name of the Vulnerable Software and Affected Versions Frappe versions 11 through 12

Description The issue concerns the storage of data files generated with Prepared Report in Frappe. These files were being stored as public files, which means no authentication is required to access them; having a link is sufficient. This is in contrast to the expected behavior of storing them as private files.

Recommendations For Frappe versions 11 through 12, consider modifying the file storage settings in the prepared report.py module to store data files as private files, requiring authentication for access. As a temporary workaround, consider restricting access to the public files generated by Prepared Report until a proper fix is implemented.