Lucene search

[email protected]NVD:CVE-2022-23058

HistoryJun 22, 2022 - 8:15 a.m.

CVE-2022-23058

2022-06-2208:15:07

CWE-79

[email protected]

web.nvd.nist.gov

erpnext

xss

vulnerability

account takeover

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

EPSS

Percentile

12.8%

JSON

ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.

Affected configurations

Nvd

Node

frappeerpnextRange12.0.9–13.1.0

VendorProductVersionCPE
frappeerpnext*cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
frappe	erpnext	*	cpe:2.3:a:frappe:erpnext::::::::

References

github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7

www.mend.io/vulnerability-database/CVE-2022-23058

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

EPSS

Percentile

12.8%

JSON

Related for NVD:CVE-2022-23058

osv1 cve1 prion1 cvelist1