PT-2020-10495 · Frappé Technologies · Erpnext
Published
2020-03-19
·
Updated
2020-03-19
·
CVE-2019-20519
CVSS v3.1
7.4
High
| Vector | AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R |
Name of the Vulnerable Software and Affected Versions
ERPNext version 11.1.47
Description
The issue allows for reflected XSS via the PATH INFO to the "user/" URI. This can be demonstrated by a crafted e-mail address.
Recommendations
For ERPNext version 11.1.47, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the "user/" URI to minimize the risk of exploitation. Avoid using crafted e-mail addresses in the affected API endpoint until the issue is resolved.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Erpnext