PT-2020-10491 · Frappé Technologies · Erpnext
Umran Yildirimkaya
·
Published
2020-03-19
·
Updated
2020-03-19
·
CVE-2019-20515
CVSS v3.1
7.4
High
| Vector | AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R |
Name of the Vulnerable Software and Affected Versions
ERPNext version 11.1.47
Description
The issue allows for reflected XSS via the PATH INFO to the "addresses/" URI. This means an attacker can craft a malicious URL that, when visited by a user, can execute arbitrary JavaScript code on the user's browser, potentially leading to unauthorized actions or data theft.
Recommendations
For ERPNext version 11.1.47, consider restricting access to the "addresses/" URI until a patch is available. As a temporary workaround, avoid using the PATH INFO to the addresses/ URI to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Erpnext