PT-2020-10496 · Frappé Technologies · Erpnext
Published
2020-03-19
·
Updated
2020-03-19
·
CVE-2019-20520
CVSS v3.1
7.4
High
| Vector | AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R |
Name of the Vulnerable Software and Affected Versions
ERPNext version 11.1.47
Description
The issue allows for reflected XSS via the PATH INFO to the "api/method/" URI. This means an attacker can inject malicious code into the system by manipulating the PATH INFO variable in requests to the specified API endpoint.
Recommendations
For ERPNext version 11.1.47, consider restricting access to the "api/method/" URI until a patch is available. As a temporary workaround, avoid using the PATH INFO variable in requests to this endpoint to minimize the risk of exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Erpnext