Vulnerabilites related to frappe - erpnext
Vulnerability from fkie_nvd
Published
2018-12-11 17:29
Modified
2024-11-21 04:00
Severity ?
Summary
A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/frappe/erpnext/issues/15337 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/erpnext/issues/15337 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| frappe | erpnext | * | |
| frappe | erpnext | * | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D15E6CA-D0E1-493A-B300-7AF679D33F44",
"versionEndIncluding": "10.1.76",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FFAED978-36E5-459B-B94C-E76F545D6917",
"versionEndExcluding": "11.0.3",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta10:*:*:*:*:*:*",
"matchCriteriaId": "C9DCB37E-061E-44D6-A686-6464B5BE54D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta11:*:*:*:*:*:*",
"matchCriteriaId": "93C2D6DF-B4E5-434B-8632-DB1DF10CE5E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta12:*:*:*:*:*:*",
"matchCriteriaId": "0C6F3220-13B5-4504-87DB-09495E5E1386",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta13:*:*:*:*:*:*",
"matchCriteriaId": "D6AFF494-240F-4981-B4EC-24771A6E1E4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta14:*:*:*:*:*:*",
"matchCriteriaId": "69D3FEA8-FC3F-434E-AFA6-D03D8EFAC524",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta15:*:*:*:*:*:*",
"matchCriteriaId": "D9D81630-3EE2-498E-9A76-0F0C1CDD1A15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta16:*:*:*:*:*:*",
"matchCriteriaId": "C3367D0E-5701-4FCA-8307-0FA7D25D71E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta17:*:*:*:*:*:*",
"matchCriteriaId": "1DBD878F-935B-427F-B6DF-4DA4356E9843",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta18:*:*:*:*:*:*",
"matchCriteriaId": "DAE5DFE4-55B8-4F68-8C3A-2CDC13D8A735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta19:*:*:*:*:*:*",
"matchCriteriaId": "6F22BFC9-CA3D-4B57-AD93-1B5094D69508",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta2:*:*:*:*:*:*",
"matchCriteriaId": "FE5E71D9-CCD4-47F4-9AC8-4E4A112E9C0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta20:*:*:*:*:*:*",
"matchCriteriaId": "CA394555-C3A0-4142-B023-60A9014C87E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta21:*:*:*:*:*:*",
"matchCriteriaId": "6B5C737A-A824-4E7D-A8D6-A0E0A4AE710A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta22:*:*:*:*:*:*",
"matchCriteriaId": "33E4D6A6-2F64-4DB8-9946-5E54FE889E6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta23:*:*:*:*:*:*",
"matchCriteriaId": "8AAD166B-0B54-4D74-A61D-A17F34C403F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta24:*:*:*:*:*:*",
"matchCriteriaId": "2856944B-7178-414D-B485-5B8C4D88E95D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta25:*:*:*:*:*:*",
"matchCriteriaId": "27EE33DF-6485-463D-BB51-33D4295D3E55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta26:*:*:*:*:*:*",
"matchCriteriaId": "FBEED6D7-3EA2-4BC0-B7F8-5F104F90EB82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta27:*:*:*:*:*:*",
"matchCriteriaId": "C5E9A6A8-A210-467F-888C-1327C8E5F5D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta28:*:*:*:*:*:*",
"matchCriteriaId": "97CA5919-E7B0-417B-BF91-6B407F83F167",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta29:*:*:*:*:*:*",
"matchCriteriaId": "E0C2C925-F3D3-4C5D-A281-2BE62F32BB52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta3:*:*:*:*:*:*",
"matchCriteriaId": "0411AA32-05B2-49C2-A0DC-8F74BDABCA3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta4:*:*:*:*:*:*",
"matchCriteriaId": "EE9DFDFA-9387-46C2-BC9C-58A90713F0E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta5:*:*:*:*:*:*",
"matchCriteriaId": "86661EEC-799A-404B-A847-D91A00403F3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta6:*:*:*:*:*:*",
"matchCriteriaId": "2AFA67C7-6829-4160-A7C8-B3DD56E60CF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta7:*:*:*:*:*:*",
"matchCriteriaId": "90E1D4DA-2D89-4CD5-B34F-33D96BD2C341",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta8:*:*:*:*:*:*",
"matchCriteriaId": "8B4BE801-0FF0-4B44-8DCF-E2805DCC39A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta9:*:*:*:*:*:*",
"matchCriteriaId": "B4AE27CF-FCAF-4491-AAC1-8EB5E5C5FD6A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call."
},
{
"lang": "es",
"value": "Se ha descubierto un problema de inyecci\u00f3n SQL en ERPNext, en versiones 10.x y 11.x hasta la 11.0.3-beta.29. Este ataque solo est\u00e1 disponible para un usuario que haya iniciado sesi\u00f3n; sin embargo, muchos sitios de ERPNext permiten la creaci\u00f3n de cuentas mediante la web. No se necesitan privilegios especiales para llevar a cabo el ataque. Al llamar a una funci\u00f3n JavaScript que llama a una funci\u00f3n de Python del lado del servidor con argumentos cuidadosamente escogidos, se puede realizar un ataque SQL que permite que se construyan consultas SQL que devuelvan cualquier columna de cualquier tabla de la base de datos. Esto est\u00e1 relacionado con los URI frappe.get_list y frappe.call en /api/resource/Item?fields=."
}
],
"id": "CVE-2018-20061",
"lastModified": "2024-11-21T04:00:49.627",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-12-11T17:29:00.507",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/erpnext/issues/15337"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/frappe/erpnext/issues/15337"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-19 18:15
Modified
2024-11-21 04:38
Severity ?
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.1.47:*:*:*:*:*:*:*",
"matchCriteriaId": "C74B7486-35C1-49C7-91FB-FC3475B7A23D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI."
},
{
"lang": "es",
"value": "ERPNext versi\u00f3n 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI addresses/."
}
],
"id": "CVE-2019-20515",
"lastModified": "2024-11-21T04:38:38.930",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-19T18:15:15.257",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-22 08:15
Modified
2024-11-21 06:47
Severity ?
Summary
In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vulnerabilitylab@mend.io | https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 | Patch, Third Party Advisory | |
| vulnerabilitylab@mend.io | https://www.mend.io/vulnerability-database/CVE-2022-23057 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.mend.io/vulnerability-database/CVE-2022-23057 | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*",
"matchCriteriaId": "499D0203-C1EF-4D8F-9D5B-624AB22B7624",
"versionEndExcluding": "13.1.0",
"versionStartIncluding": "12.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile."
},
{
"lang": "es",
"value": "En ERPNext, versiones v12.0.9--v13.0.3, son vulnerables a un ataque de tipo Cross-Site-Scripting (XSS) Almacenado, debido a que las entradas del usuario no son comprobados apropiadamente. Un atacante poco privilegiado podr\u00eda inyectar c\u00f3digo arbitrario en los campos de entrada cuando edita su perfil"
}
],
"id": "CVE-2022-23057",
"lastModified": "2024-11-21T06:47:54.110",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-22T08:15:07.557",
"references": [
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
},
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23057"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23057"
}
],
"sourceIdentifier": "vulnerabilitylab@mend.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "vulnerabilitylab@mend.io",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-05-05 16:15
Modified
2025-06-17 14:13
Severity ?
Summary
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:14.74.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5CF42DBE-9321-4CC3-9093-3CAB462BCDFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:14.82.1:*:*:*:*:*:*:*",
"matchCriteriaId": "951326DA-FE7B-4DED-AAC5-F889C79BD830",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections."
},
{
"lang": "es",
"value": "Se descubri\u00f3 una vulnerabilidad de Cross-Site Request Forgery (CSRF) en ERPNEXT 14.82.1 y 14.74.3. Esta vulnerabilidad permite a un atacante realizar acciones no autorizadas, como la eliminaci\u00f3n de usuarios, el restablecimiento de contrase\u00f1as y la escalada de privilegios, debido a la falta de protecci\u00f3n CSRF."
}
],
"id": "CVE-2025-28062",
"lastModified": "2025-06-17T14:13:04.563",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-05-05T16:15:51.310",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://github.com/Thvt0ne/CVE-2025-28062"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/frappe/erpnext"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-22 17:15
Modified
2024-11-21 06:57
Severity ?
Summary
Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:12.29.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D364DA01-686F-4525-81CE-7CB8389A8A23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users."
},
{
"lang": "es",
"value": "Frappe ERPNext versi\u00f3n 12.29.0, es vulnerable a un ataque de tipo XSS cuando el software no neutraliza o neutraliza incorrectamente la entrada controlable por el usuario antes de colocarla en la salida que es usada como p\u00e1gina web que sirve a otros usuarios."
}
],
"id": "CVE-2022-28598",
"lastModified": "2024-11-21T06:57:33.837",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-22T17:15:08.123",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://erpnext.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://frappe.com"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/171730/ERPNext-12.29-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/patrickdeanramos/CVE-2022-28598/blob/main/ERPNext%20-%2012.29.0.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://erpnext.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://frappe.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/171730/ERPNext-12.29-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/patrickdeanramos/CVE-2022-28598/blob/main/ERPNext%20-%2012.29.0.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-19 18:15
Modified
2024-11-21 04:38
Severity ?
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.1.47:*:*:*:*:*:*:*",
"matchCriteriaId": "C74B7486-35C1-49C7-91FB-FC3475B7A23D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address."
},
{
"lang": "es",
"value": "ERPNext versi\u00f3n 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI user/, como es demostrado por una direcci\u00f3n de correo electr\u00f3nico dise\u00f1ada."
}
],
"id": "CVE-2019-20519",
"lastModified": "2024-11-21T04:38:39.500",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-19T18:15:15.570",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-10 14:15
Modified
2024-11-21 05:35
Severity ?
Summary
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| talos-cna@cisco.com | https://talosintelligence.com/vulnerability_reports/TALOS-2020-1091 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://talosintelligence.com/vulnerability_reports/TALOS-2020-1091 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.1.38:*:*:*:*:*:*:*",
"matchCriteriaId": "A767F297-67E3-4622-B5B0-F50686F77004",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de inyecci\u00f3n SQL en la funcionalidad frappe.desk.reportview.get de ERPNext versi\u00f3n 11.1.38. Una petici\u00f3n HTTP especialmente dise\u00f1ada puede causar una inyecci\u00f3n SQL. Un atacante puede llevar a cabo una petici\u00f3n HTTP autenticada para desencadenar esta vulnerabilidad"
}
],
"id": "CVE-2020-6145",
"lastModified": "2024-11-21T05:35:11.810",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "talos-cna@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-10T14:15:13.203",
"references": [
{
"source": "talos-cna@cisco.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1091"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1091"
}
],
"sourceIdentifier": "talos-cna@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "talos-cna@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-22 09:15
Modified
2024-11-21 06:47
Severity ?
Summary
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vulnerabilitylab@mend.io | https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134 | Exploit, Third Party Advisory | |
| vulnerabilitylab@mend.io | https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155 | Exploit, Third Party Advisory | |
| vulnerabilitylab@mend.io | https://www.mend.io/vulnerability-database/CVE-2022-23055 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.mend.io/vulnerability-database/CVE-2022-23055 | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| frappe | erpnext | * | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 | |
| frappe | erpnext | 11.0.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BBF3D7E6-2B29-4142-A007-F699140D1C9A",
"versionEndExcluding": "13.1.0",
"versionStartIncluding": "11.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta1:*:*:*:*:*:*",
"matchCriteriaId": "B76E3184-E14E-485B-A108-C1F24850F77E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta10:*:*:*:*:*:*",
"matchCriteriaId": "C9DCB37E-061E-44D6-A686-6464B5BE54D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta11:*:*:*:*:*:*",
"matchCriteriaId": "93C2D6DF-B4E5-434B-8632-DB1DF10CE5E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta12:*:*:*:*:*:*",
"matchCriteriaId": "0C6F3220-13B5-4504-87DB-09495E5E1386",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta13:*:*:*:*:*:*",
"matchCriteriaId": "D6AFF494-240F-4981-B4EC-24771A6E1E4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta14:*:*:*:*:*:*",
"matchCriteriaId": "69D3FEA8-FC3F-434E-AFA6-D03D8EFAC524",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta15:*:*:*:*:*:*",
"matchCriteriaId": "D9D81630-3EE2-498E-9A76-0F0C1CDD1A15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta16:*:*:*:*:*:*",
"matchCriteriaId": "C3367D0E-5701-4FCA-8307-0FA7D25D71E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta17:*:*:*:*:*:*",
"matchCriteriaId": "1DBD878F-935B-427F-B6DF-4DA4356E9843",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta18:*:*:*:*:*:*",
"matchCriteriaId": "DAE5DFE4-55B8-4F68-8C3A-2CDC13D8A735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta19:*:*:*:*:*:*",
"matchCriteriaId": "6F22BFC9-CA3D-4B57-AD93-1B5094D69508",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta2:*:*:*:*:*:*",
"matchCriteriaId": "FE5E71D9-CCD4-47F4-9AC8-4E4A112E9C0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta20:*:*:*:*:*:*",
"matchCriteriaId": "CA394555-C3A0-4142-B023-60A9014C87E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta21:*:*:*:*:*:*",
"matchCriteriaId": "6B5C737A-A824-4E7D-A8D6-A0E0A4AE710A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta22:*:*:*:*:*:*",
"matchCriteriaId": "33E4D6A6-2F64-4DB8-9946-5E54FE889E6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta23:*:*:*:*:*:*",
"matchCriteriaId": "8AAD166B-0B54-4D74-A61D-A17F34C403F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta24:*:*:*:*:*:*",
"matchCriteriaId": "2856944B-7178-414D-B485-5B8C4D88E95D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta25:*:*:*:*:*:*",
"matchCriteriaId": "27EE33DF-6485-463D-BB51-33D4295D3E55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta26:*:*:*:*:*:*",
"matchCriteriaId": "FBEED6D7-3EA2-4BC0-B7F8-5F104F90EB82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta27:*:*:*:*:*:*",
"matchCriteriaId": "C5E9A6A8-A210-467F-888C-1327C8E5F5D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta28:*:*:*:*:*:*",
"matchCriteriaId": "97CA5919-E7B0-417B-BF91-6B407F83F167",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta29:*:*:*:*:*:*",
"matchCriteriaId": "E0C2C925-F3D3-4C5D-A281-2BE62F32BB52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta3:*:*:*:*:*:*",
"matchCriteriaId": "0411AA32-05B2-49C2-A0DC-8F74BDABCA3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta30:*:*:*:*:*:*",
"matchCriteriaId": "31D7C223-4E62-41E1-A88F-54DF1DFA9C75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta31:*:*:*:*:*:*",
"matchCriteriaId": "C1686CCA-6C44-425C-B851-D429A5C550CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta32:*:*:*:*:*:*",
"matchCriteriaId": "873CA32C-42A6-4531-838A-E4B584AB389D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta33:*:*:*:*:*:*",
"matchCriteriaId": "17B6D20B-863A-48C0-8600-BE768498DBFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta34:*:*:*:*:*:*",
"matchCriteriaId": "6CA04572-0978-4378-A658-15896AFDEBFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta35:*:*:*:*:*:*",
"matchCriteriaId": "8697CA97-1F21-4158-9773-BB67A250BDD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta36:*:*:*:*:*:*",
"matchCriteriaId": "E7746744-C5D1-459E-9574-ADC2FD24CED8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta37:*:*:*:*:*:*",
"matchCriteriaId": "1F61D01B-BB6D-4A4E-9774-BEC19997A733",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta4:*:*:*:*:*:*",
"matchCriteriaId": "EE9DFDFA-9387-46C2-BC9C-58A90713F0E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta5:*:*:*:*:*:*",
"matchCriteriaId": "86661EEC-799A-404B-A847-D91A00403F3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta6:*:*:*:*:*:*",
"matchCriteriaId": "2AFA67C7-6829-4160-A7C8-B3DD56E60CF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta7:*:*:*:*:*:*",
"matchCriteriaId": "90E1D4DA-2D89-4CD5-B34F-33D96BD2C341",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta8:*:*:*:*:*:*",
"matchCriteriaId": "8B4BE801-0FF0-4B44-8DCF-E2805DCC39A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta9:*:*:*:*:*:*",
"matchCriteriaId": "B4AE27CF-FCAF-4491-AAC1-8EB5E5C5FD6A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users."
},
{
"lang": "es",
"value": "En ERPNext, versiones v11.0.0-beta hasta v13.0.2, son vulnerables a una falta de autorizaci\u00f3n, en la funcionalidad chat rooms. Un atacante poco privilegiado puede enviar un mensaje directo o un mensaje de grupo a cualquier miembro o grupo, haci\u00e9ndose pasar por el administrador. El atacante tambi\u00e9n puede leer los mensajes de chat de grupos a los que no pertenece, y de otros usuarios"
}
],
"id": "CVE-2022-23055",
"lastModified": "2024-11-21T06:47:53.840",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2022-06-22T09:15:08.007",
"references": [
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134"
},
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155"
},
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23055"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23055"
}
],
"sourceIdentifier": "vulnerabilitylab@mend.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "vulnerabilitylab@mend.io",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-22 08:15
Modified
2024-11-21 06:47
Severity ?
Summary
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vulnerabilitylab@mend.io | https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 | Patch, Third Party Advisory | |
| vulnerabilitylab@mend.io | https://www.mend.io/vulnerability-database/CVE-2022-23058 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.mend.io/vulnerability-database/CVE-2022-23058 | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*",
"matchCriteriaId": "499D0203-C1EF-4D8F-9D5B-624AB22B7624",
"versionEndExcluding": "13.1.0",
"versionStartIncluding": "12.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the \u2018username\u2019 field in \u2018my settings\u2019 which can lead to full account takeover."
},
{
"lang": "es",
"value": "En ERPNext, versiones v12.0.9-v13.0.3, est\u00e1n afectadas por una vulnerabilidad de tipo XSS almacenada que permite a usuarios con pocos privilegios almacenar scripts maliciosos en el campo \"username\" en \"my settings\", lo que puede conllevar a una toma de control total de la cuenta"
}
],
"id": "CVE-2022-23058",
"lastModified": "2024-11-21T06:47:54.230",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2022-06-22T08:15:07.620",
"references": [
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
},
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23058"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23058"
}
],
"sourceIdentifier": "vulnerabilitylab@mend.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "vulnerabilitylab@mend.io",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-22 08:15
Modified
2024-11-21 06:47
Severity ?
Summary
In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vulnerabilitylab@mend.io | https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/erpnext/healthcare/page/patient_history/patient_history.js#L288 | Patch, Third Party Advisory | |
| vulnerabilitylab@mend.io | https://www.mend.io/vulnerability-database/CVE-2022-23056 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/erpnext/healthcare/page/patient_history/patient_history.js#L288 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.mend.io/vulnerability-database/CVE-2022-23056 | Exploit, Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*",
"matchCriteriaId": "658B50C9-2AC2-449E-A43B-62EF6092E302",
"versionEndExcluding": "13.30.0",
"versionStartIncluding": "13.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:13.0.0:beta13:*:*:*:*:*:*",
"matchCriteriaId": "42DE3B99-91F9-49CD-805D-ACA330131025",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:erpnext:13.0.0:beta14:*:*:*:*:*:*",
"matchCriteriaId": "94C1D457-5B67-47C9-A28A-8D9662B1CE26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack."
},
{
"lang": "es",
"value": "En ERPNext, versiones v13.0.0-beta.13 hasta v13.30.0, son vulnerables a un ataque de tipo XSS almacenado en la p\u00e1gina del historial del paciente, lo que permite a un usuario con pocos privilegios conducir un ataque de toma de control de la cuenta"
}
],
"id": "CVE-2022-23056",
"lastModified": "2024-11-21T06:47:53.983",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2022-06-22T08:15:07.410",
"references": [
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/erpnext/healthcare/page/patient_history/patient_history.js#L288"
},
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23056"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/erpnext/healthcare/page/patient_history/patient_history.js#L288"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23056"
}
],
"sourceIdentifier": "vulnerabilitylab@mend.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "vulnerabilitylab@mend.io",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-19 18:15
Modified
2024-11-21 04:38
Severity ?
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.1.47:*:*:*:*:*:*:*",
"matchCriteriaId": "C74B7486-35C1-49C7-91FB-FC3475B7A23D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI."
},
{
"lang": "es",
"value": "ERPNext versi\u00f3n 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI address/."
}
],
"id": "CVE-2019-20514",
"lastModified": "2024-11-21T04:38:38.793",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-19T18:15:15.133",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-05-22 01:29
Modified
2024-11-21 03:43
Severity ?
Summary
An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://discuss.erpnext.com/t/stored-xss-in-erpnext-demo-website/36587 | Exploit, Vendor Advisory | |
| cve@mitre.org | https://github.com/frappe/frappe/issues/5546 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/44691/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://discuss.erpnext.com/t/stored-xss-in-erpnext-demo-website/36587 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/frappe/frappe/issues/5546 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/44691/ | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.x.x-develop_b1036e5:*:*:*:*:*:*:*",
"matchCriteriaId": "3CFA468E-6F6A-42C9-B00A-55C1C3AF2844",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment."
},
{
"lang": "es",
"value": "Se ha descubierto un problema de Cross-Site Scripting (XSS) en Frappe ERPNext v11.x.x-develop b1036e5 mediante un comentario."
}
],
"id": "CVE-2018-11339",
"lastModified": "2024-11-21T03:43:10.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-05-22T01:29:00.497",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://discuss.erpnext.com/t/stored-xss-in-erpnext-demo-website/36587"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/issues/5546"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/44691/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://discuss.erpnext.com/t/stored-xss-in-erpnext-demo-website/36587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/frappe/frappe/issues/5546"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/44691/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-19 18:15
Modified
2024-11-21 04:38
Severity ?
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.1.47:*:*:*:*:*:*:*",
"matchCriteriaId": "C74B7486-35C1-49C7-91FB-FC3475B7A23D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI."
},
{
"lang": "es",
"value": "ERPNext versi\u00f3n 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI contact/."
}
],
"id": "CVE-2019-20517",
"lastModified": "2024-11-21T04:38:39.207",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-19T18:15:15.413",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-19 18:15
Modified
2024-11-21 04:38
Severity ?
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.1.47:*:*:*:*:*:*:*",
"matchCriteriaId": "C74B7486-35C1-49C7-91FB-FC3475B7A23D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI."
},
{
"lang": "es",
"value": "ERPNext versi\u00f3n 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI blog/."
}
],
"id": "CVE-2019-20516",
"lastModified": "2024-11-21T04:38:39.070",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-19T18:15:15.350",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-19 18:15
Modified
2024-11-21 04:38
Severity ?
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.1.47:*:*:*:*:*:*:*",
"matchCriteriaId": "C74B7486-35C1-49C7-91FB-FC3475B7A23D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI."
},
{
"lang": "es",
"value": "ERPNext versi\u00f3n 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI project/."
}
],
"id": "CVE-2019-20518",
"lastModified": "2024-11-21T04:38:39.350",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-19T18:15:15.507",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-19 18:15
Modified
2024-11-21 04:38
Severity ?
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.1.47:*:*:*:*:*:*:*",
"matchCriteriaId": "C74B7486-35C1-49C7-91FB-FC3475B7A23D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI."
},
{
"lang": "es",
"value": "ERPNext versi\u00f3n 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI api/method/"
}
],
"id": "CVE-2019-20520",
"lastModified": "2024-11-21T04:38:39.637",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-19T18:15:15.663",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-16 14:15
Modified
2025-09-20 02:58
Severity ?
Summary
In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into inventory_dimensions_dict parameter.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:15.57.5:*:*:*:*:*:*:*",
"matchCriteriaId": "376805E2-896A-4FBF-9646-A23817F277D5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into inventory_dimensions_dict parameter."
}
],
"id": "CVE-2025-52044",
"lastModified": "2025-09-20T02:58:35.227",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-09-16T14:15:54.783",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Vietsunshine-Electronic-Solution-JSC/Vulnerability-Disclosures/blob/main/2025/Frappe%20Framework%20-%20Multiple%20SQL%20Injection.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/frappe/erpnext/pull/49192/commits/eb22794f14351c2ff5731548c48bef0b91765c86"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-19 18:15
Modified
2024-11-21 04:38
Severity ?
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.1.47:*:*:*:*:*:*:*",
"matchCriteriaId": "C74B7486-35C1-49C7-91FB-FC3475B7A23D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI."
},
{
"lang": "es",
"value": "ERPNext versi\u00f3n 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI api/."
}
],
"id": "CVE-2019-20521",
"lastModified": "2024-11-21T04:38:39.773",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-19T18:15:15.727",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-18 19:15
Modified
2024-11-21 04:38
Severity ?
Summary
ERPNext 11.1.47 allows blog?blog_category= Frame Injection.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.netsparker.com/web-applications-advisories/ns-19-018-frame-injection-in-erpnext/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsparker.com/web-applications-advisories/ns-19-018-frame-injection-in-erpnext/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:erpnext:11.1.47:*:*:*:*:*:*:*",
"matchCriteriaId": "C74B7486-35C1-49C7-91FB-FC3475B7A23D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows blog?blog_category= Frame Injection."
},
{
"lang": "es",
"value": "ERPNext versi\u00f3n 11.1.47, permite una Inyecci\u00f3n de Trama de blog?blog_category=."
}
],
"id": "CVE-2019-20511",
"lastModified": "2024-11-21T04:38:38.387",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-18T19:15:17.090",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-018-frame-injection-in-erpnext/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-018-frame-injection-in-erpnext/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2019-20514 (GCVE-0-2019-20514)
Vulnerability from cvelistv5
Published
2020-03-19 17:50
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:09.153Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-19T17:50:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20514",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20514",
"datePublished": "2020-03-19T17:50:31",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:09.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20521 (GCVE-0-2019-20521)
Vulnerability from cvelistv5
Published
2020-03-19 17:52
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:09.135Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-19T17:52:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20521",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20521",
"datePublished": "2020-03-19T17:52:51",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:09.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23058 (GCVE-0-2022-23058)
Vulnerability from cvelistv5
Published
2022-06-22 07:30
Modified
2024-09-16 17:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 | x_refsource_MISC | |
| https://www.mend.io/vulnerability-database/CVE-2022-23058 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:43.321Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23058"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "v12.0.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "v13.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"datePublic": "2022-05-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the \u2018username\u2019 field in \u2018my settings\u2019 which can lead to full account takeover."
}
],
"metrics": [
{
"other": {
"content": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": 3.1
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-22T07:30:21",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23058"
}
],
"solutions": [
{
"lang": "en",
"value": "Update version to v13.1.0 or later"
}
],
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "ERPNext - Stored XSS in My Settings",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "May 19, 2022, 12:00:00 AM",
"ID": "CVE-2022-23058",
"STATE": "PUBLIC",
"TITLE": "ERPNext - Stored XSS in My Settings"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "frappe",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "v12.0.9"
},
{
"version_affected": "\u003c=",
"version_value": "v13.0.3"
}
]
}
}
]
},
"vendor_name": "frappe"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the \u2018username\u2019 field in \u2018my settings\u2019 which can lead to full account takeover."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": 3.1
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
},
{
"name": "https://www.mend.io/vulnerability-database/CVE-2022-23058",
"refsource": "MISC",
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23058"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update version to v13.1.0 or later"
}
],
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-23058",
"datePublished": "2022-06-22T07:30:21.429229Z",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-09-16T17:37:58.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20511 (GCVE-0-2019-20511)
Vulnerability from cvelistv5
Published
2020-03-18 17:41
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ERPNext 11.1.47 allows blog?blog_category= Frame Injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.netsparker.com/web-applications-advisories/ns-19-018-frame-injection-in-erpnext/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:09.157Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-018-frame-injection-in-erpnext/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows blog?blog_category= Frame Injection."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-18T17:41:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-018-frame-injection-in-erpnext/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20511",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ERPNext 11.1.47 allows blog?blog_category= Frame Injection."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-19-018-frame-injection-in-erpnext/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-018-frame-injection-in-erpnext/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20511",
"datePublished": "2020-03-18T17:41:04",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:09.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23056 (GCVE-0-2022-23056)
Vulnerability from cvelistv5
Published
2022-06-22 07:25
Modified
2024-09-17 03:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:43.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23056"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/erpnext/healthcare/page/patient_history/patient_history.js#L288"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "erpnext",
"vendor": "erpnext",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "v13.0.0-beta.13",
"versionType": "custom"
},
{
"lessThanOrEqual": "v13.30.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"datePublic": "2022-05-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack."
}
],
"metrics": [
{
"other": {
"content": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": 3.1
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-22T07:25:16",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23056"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/erpnext/healthcare/page/patient_history/patient_history.js#L288"
}
],
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "ERPNext - Stored XSS leads to account takover",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "May 17, 2022, 12:00:00 AM",
"ID": "CVE-2022-23056",
"STATE": "PUBLIC",
"TITLE": "ERPNext - Stored XSS leads to account takover"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "erpnext",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "v13.0.0-beta.13"
},
{
"version_affected": "\u003c=",
"version_value": "v13.30.0"
}
]
}
}
]
},
"vendor_name": "erpnext"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": 3.1
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mend.io/vulnerability-database/CVE-2022-23056",
"refsource": "MISC",
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23056"
},
{
"name": "https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/erpnext/healthcare/page/patient_history/patient_history.js#L288",
"refsource": "MISC",
"url": "https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/erpnext/healthcare/page/patient_history/patient_history.js#L288"
}
]
},
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-23056",
"datePublished": "2022-06-22T07:25:16.868936Z",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-09-17T03:59:39.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-28062 (GCVE-0-2025-28062)
Vulnerability from cvelistv5
Published
2025-05-05 00:00
Modified
2025-05-13 19:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-28062",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T19:09:56.442689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T19:10:01.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T16:03:23.835Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/frappe/erpnext"
},
{
"url": "https://github.com/Thvt0ne/CVE-2025-28062"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-28062",
"datePublished": "2025-05-05T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-05-13T19:10:01.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28598 (GCVE-0-2022-28598)
Vulnerability from cvelistv5
Published
2022-08-22 00:00
Modified
2024-08-03 05:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:56:16.128Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://erpnext.com"
},
{
"tags": [
"x_transferred"
],
"url": "http://frappe.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/patrickdeanramos/CVE-2022-28598/blob/main/ERPNext%20-%2012.29.0.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171730/ERPNext-12.29-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-06T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://erpnext.com"
},
{
"url": "http://frappe.com"
},
{
"url": "https://github.com/patrickdeanramos/CVE-2022-28598/blob/main/ERPNext%20-%2012.29.0.pdf"
},
{
"url": "http://packetstormsecurity.com/files/171730/ERPNext-12.29-Cross-Site-Scripting.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-28598",
"datePublished": "2022-08-22T00:00:00",
"dateReserved": "2022-04-04T00:00:00",
"dateUpdated": "2024-08-03T05:56:16.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20520 (GCVE-0-2019-20520)
Vulnerability from cvelistv5
Published
2020-03-19 17:52
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:09.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-19T17:52:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20520",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20520",
"datePublished": "2020-03-19T17:52:46",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:09.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-20061 (GCVE-0-2018-20061)
Vulnerability from cvelistv5
Published
2018-12-11 17:00
Modified
2024-08-05 11:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/erpnext/issues/15337 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:51:18.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/erpnext/issues/15337"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-12-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-11T17:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/erpnext/issues/15337"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-20061",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/frappe/erpnext/issues/15337",
"refsource": "MISC",
"url": "https://github.com/frappe/erpnext/issues/15337"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-20061",
"datePublished": "2018-12-11T17:00:00",
"dateReserved": "2018-12-11T00:00:00",
"dateUpdated": "2024-08-05T11:51:18.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23055 (GCVE-0-2022-23055)
Vulnerability from cvelistv5
Published
2022-06-22 08:25
Modified
2024-09-16 17:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:43.287Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23055"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "v11.0.3-beta.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "v13.14.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"datePublic": "2022-03-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users."
}
],
"metrics": [
{
"other": {
"content": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": 3.1
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-30T17:56:47",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23055"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155"
}
],
"solutions": [
{
"lang": "en",
"value": "Update version to v13.1.0 or later"
}
],
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "ERPNext - Improper user access conrol",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "Mar 9, 2022, 12:00:00 AM",
"ID": "CVE-2022-23055",
"STATE": "PUBLIC",
"TITLE": "ERPNext - Improper user access conrol"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "frappe",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "v11.0.3-beta.1"
},
{
"version_affected": "\u003c=",
"version_value": "v13.14.1"
}
]
}
}
]
},
"vendor_name": "frappe"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": 3.1
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mend.io/vulnerability-database/CVE-2022-23055",
"refsource": "MISC",
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23055"
},
{
"name": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134"
},
{
"name": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update version to v13.1.0 or later"
}
],
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-23055",
"datePublished": "2022-06-22T08:25:10.197361Z",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-09-16T17:53:19.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20515 (GCVE-0-2019-20515)
Vulnerability from cvelistv5
Published
2020-03-19 17:50
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:09.201Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-19T17:50:47",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20515",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20515",
"datePublished": "2020-03-19T17:50:47",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:09.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-6145 (GCVE-0-2020-6145)
Vulnerability from cvelistv5
Published
2020-08-10 13:10
Modified
2024-08-04 08:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://talosintelligence.com/vulnerability_reports/TALOS-2020-1091 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:55:21.489Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1091"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ERPNext",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "ERPNext 11.1.38"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-10T13:10:24",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1091"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "talos-cna@cisco.com",
"ID": "CVE-2020-6145",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ERPNext",
"version": {
"version_data": [
{
"version_value": "ERPNext 11.1.38"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability."
}
]
},
"impact": {
"cvss": {
"baseScore": 6.4,
"baseSeverity": "Medium",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1091",
"refsource": "MISC",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1091"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2020-6145",
"datePublished": "2020-08-10T13:10:24",
"dateReserved": "2020-01-07T00:00:00",
"dateUpdated": "2024-08-04T08:55:21.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20518 (GCVE-0-2019-20518)
Vulnerability from cvelistv5
Published
2020-03-19 17:52
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:09.321Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-19T17:52:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20518",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20518",
"datePublished": "2020-03-19T17:52:20",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:09.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20517 (GCVE-0-2019-20517)
Vulnerability from cvelistv5
Published
2020-03-19 17:52
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:09.170Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-19T17:52:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20517",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20517",
"datePublished": "2020-03-19T17:52:07",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:09.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20519 (GCVE-0-2019-20519)
Vulnerability from cvelistv5
Published
2020-03-19 17:52
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:08.507Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-19T17:52:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20519",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20519",
"datePublished": "2020-03-19T17:52:35",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:08.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58439 (GCVE-0-2025-58439)
Vulnerability from cvelistv5
Published
2025-09-06 00:30
Modified
2025-09-08 14:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation of parameters left certain endpoints vulnerable to error-based SQL Injection. Some information like version could be retrieved. This issue is fixed in versions 14.89.2 and 15.76.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/erpnext/security/advisories/GHSA-fvjw-5w9q-6v39 | x_refsource_CONFIRM | |
| https://github.com/frappe/erpnext/pull/49219 | x_refsource_MISC | |
| https://github.com/frappe/erpnext/pull/49220 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58439",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T13:58:31.827680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T14:06:07.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "erpnext",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003e=15.0.0, \u003c 15.76.0"
},
{
"status": "affected",
"version": "\u003c 14.89.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation of parameters left certain endpoints vulnerable to error-based SQL Injection. Some information like version could be retrieved. This issue is fixed in versions 14.89.2 and 15.76.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-06T00:30:26.689Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/erpnext/security/advisories/GHSA-fvjw-5w9q-6v39",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/erpnext/security/advisories/GHSA-fvjw-5w9q-6v39"
},
{
"name": "https://github.com/frappe/erpnext/pull/49219",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/erpnext/pull/49219"
},
{
"name": "https://github.com/frappe/erpnext/pull/49220",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/erpnext/pull/49220"
}
],
"source": {
"advisory": "GHSA-fvjw-5w9q-6v39",
"discovery": "UNKNOWN"
},
"title": "ERP: Possibility of SQL injection due to missing validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58439",
"datePublished": "2025-09-06T00:30:26.689Z",
"dateReserved": "2025-09-01T20:03:06.532Z",
"dateUpdated": "2025-09-08T14:06:07.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23057 (GCVE-0-2022-23057)
Vulnerability from cvelistv5
Published
2022-06-22 07:25
Modified
2024-09-16 17:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.mend.io/vulnerability-database/CVE-2022-23057 | x_refsource_MISC | |
| https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:43.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23057"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "v12.0.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "v13.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"datePublic": "2022-05-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile."
}
],
"metrics": [
{
"other": {
"content": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": 3.1
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-22T07:25:11",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23057"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
}
],
"solutions": [
{
"lang": "en",
"value": "Update version to v13.1.0 or later"
}
],
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "ERPNext - Stored XSS in My Profile",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "May 18, 2022, 12:00:00 AM",
"ID": "CVE-2022-23057",
"STATE": "PUBLIC",
"TITLE": "ERPNext - Stored XSS in My Profile"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "frappe",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "v12.0.9"
},
{
"version_affected": "\u003c=",
"version_value": "v13.0.3"
}
]
}
}
]
},
"vendor_name": "frappe"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Mend Vulnerability Research Team (MVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": 3.1
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mend.io/vulnerability-database/CVE-2022-23057",
"refsource": "MISC",
"url": "https://www.mend.io/vulnerability-database/CVE-2022-23057"
},
{
"name": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update version to v13.1.0 or later"
}
],
"source": {
"advisory": "https://www.mend.io/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-23057",
"datePublished": "2022-06-22T07:25:11.161456Z",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-09-16T17:14:26.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11339 (GCVE-0-2018-11339)
Vulnerability from cvelistv5
Published
2018-05-22 01:00
Modified
2024-08-05 08:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/frappe/frappe/issues/5546 | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/44691/ | exploit, x_refsource_EXPLOIT-DB | |
| https://discuss.erpnext.com/t/stored-xss-in-erpnext-demo-website/36587 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:01:52.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/frappe/frappe/issues/5546"
},
{
"name": "44691",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/44691/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discuss.erpnext.com/t/stored-xss-in-erpnext-demo-website/36587"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-05-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-24T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/issues/5546"
},
{
"name": "44691",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/44691/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.erpnext.com/t/stored-xss-in-erpnext-demo-website/36587"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-11339",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/frappe/frappe/issues/5546",
"refsource": "MISC",
"url": "https://github.com/frappe/frappe/issues/5546"
},
{
"name": "44691",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/44691/"
},
{
"name": "https://discuss.erpnext.com/t/stored-xss-in-erpnext-demo-website/36587",
"refsource": "MISC",
"url": "https://discuss.erpnext.com/t/stored-xss-in-erpnext-demo-website/36587"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-11339",
"datePublished": "2018-05-22T01:00:00",
"dateReserved": "2018-05-21T00:00:00",
"dateUpdated": "2024-08-05T08:01:52.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20516 (GCVE-0-2019-20516)
Vulnerability from cvelistv5
Published
2020-03-19 17:51
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:08.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-19T17:51:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20516",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20516",
"datePublished": "2020-03-19T17:51:46",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:08.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}