Umran Yildirimkaya

**Name of the Vulnerable Software and Affected Versions** ERPNext version 11.1.47 **Description** The issue allows for reflected XSS via the PATH INFO to the "addresses/" URI. This means an attacker can craft a malicious URL that, when visited by a user, can execute arbitrary JavaScript code on the user's browser, potentially leading to unauthorized actions or data theft. **Recommendations** For ERPNext version 11.1.47, consider restricting access to the "addresses/" URI until a patch is available. As a temporary workaround, avoid using the PATH INFO to the addresses/ URI to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ERPNext version 11.1.47 **Description** The issue allows for reflected XSS via the PATH INFO to the `contact/` URI. This can potentially lead to malicious script execution on the client-side. **Recommendations** For ERPNext version 11.1.47, as a temporary workaround, consider restricting access to the `contact/` URI until a patch is available. Avoid using the PATH INFO to the `contact/` URI in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.