We found results for “


Date: June 22, 2022


In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.


The “ERPNext” application is built on “Frappe Framework”, it is affected by Missing Authorization in the chat room functionality. This allows a low privileged user to gain access over the other chat groups and private conversations by modifying the “user” and “room” parameter values in the request. An attacker can make use of the vulnerability and do the following:
“Send a direct message/group message” to “any member/group (both member and not a member)” impersonating an “Admin”.
“Read chat messages” of “any individual/group” (being a non-member of the group).

PoC Details

For demonstration purposes, a three different set of user roles were created, beginning from low to high privileged users. The roles are “user1@app.com, manager1@app.com, administrator”.
Scenario 1: “Send a direct message/group message” to “any member/group (both member and not a member)” impersonating as an “Admin”:
Login into the application as “Administrator” and create a chat group with all three users. As “user1@app.com”, type a message in the chat box to impersonate the admin. Now intercept the request to “frappe.chat.doctype.chat_message.chat_message.send” and observe the value of parameter “user” in the body. Now modify the value of “user” parameter to “administrator” and forward the request. The message is reflected in the chat box as typed by the “administrator”.
Scenario 2: “Read chat messages” of “any individual/group” (being a non-member of the group):
Here “user1@app.com” is not a member of the group called “Manager and Admin”. To read other individual/group messages click on any conversation in the chat box after intercepting the request in a proxy tool. Now observe the value of the “room” parameter which is being generated in a sequential order. This lets the attacker guess the next values for the parameter “room”. In the request “frappe.chat.doctype.chat_room.chat_room.history”, modify the parameter “room” value to its succeeding or preceding numbers so that the attacker can read the other’s conversation. Now “user1@app.com” can read the conversations of other rooms without any restrictions.

Affected Environments

ERPNext versions v11.0.3-beta through v13.0.2


Upgrade to ERPNext version v13.1.0

Language: Python

Good to know:


Missing Authorization


Upgrade Version

Upgrade to version v13.1.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): Single
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): None
Additional information: