PT-2022-15815 · Erpnext · Erpnext
Published
2022-06-22
·
Updated
2022-10-29
·
CVE-2022-23055
CVSS v2.0
5.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
ERPNext versions v11.0.0-beta through v13.0.2
Description
The issue concerns missing authorization in the chat rooms functionality. A low-privileged attacker can send direct or group messages to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups they do not belong to and of other users.
Recommendations
For versions v11.0.0-beta through v13.0.2, consider disabling the chat rooms functionality until a patch is available to prevent exploitation. Restrict access to sensitive groups and messages to minimize the risk of unauthorized access.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Erpnext