PT-2020-10487 · Frappé Technologies · Erpnext
Published
2020-03-18
·
Updated
2020-08-24
·
CVE-2019-20511
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
ERPNext version 11.1.47
Description
The issue allows for frame injection via the blog category parameter. This can be exploited through the "blog?blog category=" endpoint. The
blog category parameter is vulnerable to injection.Recommendations
For ERPNext version 11.1.47, consider restricting access to the blog category parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the
blog category parameter in the affected endpoint until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Erpnext