Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: June 22, 2022
OverviewIn ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.
DetailsThe “ERPNext” application is built on “Frappe Framework”, it is affected by Missing Authorization in the chat room functionality. This allows a low privileged user to gain access over the other chat groups and private conversations by modifying the “user” and “room” parameter values in the request. An attacker can make use of the vulnerability and do the following:
“Send a direct message/group message” to “any member/group (both member and not a member)” impersonating an “Admin”.
“Read chat messages” of “any individual/group” (being a non-member of the group).
PoC DetailsFor demonstration purposes, a three different set of user roles were created, beginning from low to high privileged users. The roles are “email@example.com, firstname.lastname@example.org, administrator”.
Scenario 1: “Send a direct message/group message” to “any member/group (both member and not a member)” impersonating as an “Admin”:
Login into the application as “Administrator” and create a chat group with all three users. As “email@example.com”, type a message in the chat box to impersonate the admin. Now intercept the request to “frappe.chat.doctype.chat_message.chat_message.send” and observe the value of parameter “user” in the body. Now modify the value of “user” parameter to “administrator” and forward the request. The message is reflected in the chat box as typed by the “administrator”.
Scenario 2: “Read chat messages” of “any individual/group” (being a non-member of the group):
Here “firstname.lastname@example.org” is not a member of the group called “Manager and Admin”. To read other individual/group messages click on any conversation in the chat box after intercepting the request in a proxy tool. Now observe the value of the “room” parameter which is being generated in a sequential order. This lets the attacker guess the next values for the parameter “room”. In the request “frappe.chat.doctype.chat_room.chat_room.history”, modify the parameter “room” value to its succeeding or preceding numbers so that the attacker can read the other’s conversation. Now “email@example.com” can read the conversations of other rooms without any restrictions.
Affected EnvironmentsERPNext versions v11.0.3-beta through v13.0.2
PreventionUpgrade to ERPNext version v13.1.0
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||Low|
|User Interaction (UI):||None|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Low|