ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
[
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "v12.0.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "v13.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
]