Lucene search

[email protected]CVE-2022-23055

HistoryJun 22, 2022 - 9:15 a.m.

CVE-2022-23055

2022-06-2209:15:00

CWE-862

[email protected]

web.nvd.nist.gov

erpnext

vulnerability

authorization

chat rooms

cve-2022-23055

5.3 Medium

AI Score

Confidence

High

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

0.0004 Low

EPSS

Percentile

14.4%

JSON

In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.

CPENameOperatorVersion
frappe:erpnextfrappe erpnexteq11.0.3
frappe:erpnextfrappe erpnextlt13.1.0

CPE	Name	Operator	Version
frappe:erpnext	frappe erpnext	eq	11.0.3
frappe:erpnext	frappe erpnext	lt	13.1.0

References

github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134

github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155

www.mend.io/vulnerability-database/CVE-2022-23055

Social References

5.3 Medium

AI Score

Confidence

High

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

0.0004 Low

EPSS

Percentile

14.4%

JSON

Related for CVE-2022-23055

osv1 prion1