{"id":"CVE-2019-15700","details":"public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted \"changed value of\" text.","modified":"2026-03-14T06:58:45.326721Z","published":"2019-08-27T18:15:11.153Z","references":[{"type":"FIX","url":"https://github.com/frappe/frappe/pull/8262"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/frappe/frappe","events":[{"introduced":"93022be8b58512670d38acb69a06399a26f37f3b"},{"last_affected":"175818675d5c6f4c3c503925dd904ad67449de4b"}],"database_specific":{"versions":[{"introduced":"12.0.0"},{"last_affected":"12.0.8"}]}}],"versions":["v12.0.0","v12.0.1","v12.0.2","v12.0.3","v12.0.4","v12.0.5","v12.0.6","v12.0.7","v12.0.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-15700.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}