PT-2020-10497 · Frappé Technologies · Erpnext
Published
2020-03-19
·
Updated
2020-03-19
·
CVE-2019-20521
CVSS v3.1
7.4
High
| Vector | AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R |
Name of the Vulnerable Software and Affected Versions
ERPNext version 11.1.47
Description
The issue allows for reflected XSS via the PATH INFO to the "api/" URI. This means an attacker can craft a malicious URL that, when visited by a user, can execute arbitrary JavaScript code in the context of the ERPNext application.
Recommendations
For ERPNext version 11.1.47, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the "api/" URI to minimize the risk of exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Erpnext