ERPNext 12.29 - Cross-Site Scripting (XSS)

2023-04-0500:00:00

Patrick Dean Ramos / Nathu Nandwani / Junnair Manla

www.exploit-db.com

cross-site scripting

stored xss

erpnext 12.29

my settings.

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

49.3%

JSON

# Exploit Title: ERPNext 12.29 - Cross-Site Scripting (XSS)
# Date: 7 Feb 2023 
# Exploit Author: Patrick Dean Ramos / Nathu Nandwani / Junnair Manla
#Github - https://github.com/patrickdeanramos/CVE-2022-28598
# Vendor Homepage: https://erpnext.com/
# Version: 12.29
# CVE-2022-28598

Summary: Stored cross-site scripting (XSS) vulnerability was found in ERPNext 12.29 where the 
"last_known_version" field found in the "My Setting" page in ERPNext 
12.29.0 allows remote attackers to inject arbitrary web script or HTML via 
a crafted site name by doing an authenticated POST HTTP request to 
'/desk#Form/User/(Authenticated User)' and inject the script in the 
'last_known_version' field where we are able to view the script by 
clicking the 'pdf' view form.

This vulnerability is specifically the "last_known_version" field found 
under the 'My Settings' where we need to first save the my settings.

1. Login as any user
2. Under the ‘last_known_version’ field we are going to inject our 
malicious script.
3. To view our injected script we need to click the view pdf page, and as 
seen below we have successfully injected our script.