PT-2022-15818 · Erpnext · Erpnext

Published

2022-06-22

Updated

2022-07-05

CVE-2022-23058

CVSS v2.0

3.5

Low

Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions ERPNext versions v12.0.9 through v13.0.3

Description The issue allows low privileged users to store malicious scripts in the username field in 'my settings', which can lead to full account takeover. This is a stored XSS vulnerability.

Recommendations For ERPNext versions v12.0.9 through v13.0.3, consider disabling the ability to edit the username field in 'my settings' until a patch is available. Restrict access to the 'my settings' module to minimize the risk of exploitation. Avoid using the username field in the affected settings until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2022-23058

Affected Products

Erpnext

PT-2022-15818 · Erpnext · Erpnext

CVE-2022-23058

Weakness Enumeration

Related Identifiers

Affected Products

References · 6