Lucene search

Erpnext Security Vulnerabilities

cve

CVE-2018-11339

An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.

6.1CVSS

5.8AI Score

0.002EPSS

2018-05-22 01:29 AM

cve

CVE-2018-20061

A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that call...

7.5CVSS

7.8AI Score

0.001EPSS

2018-12-11 05:29 PM

cve

CVE-2019-20511

ERPNext 11.1.47 allows blog?blog_category= Frame Injection.

6.1CVSS

6.2AI Score

0.001EPSS

2020-03-18 07:15 PM

cve

CVE-2019-20514

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.

6.1CVSS

5.9AI Score

0.001EPSS

2020-03-19 06:15 PM

cve

CVE-2019-20515

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI.

6.1CVSS

5.9AI Score

0.001EPSS

2020-03-19 06:15 PM

cve

CVE-2019-20516

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI.

6.1CVSS

5.9AI Score

0.001EPSS

2020-03-19 06:15 PM

cve

CVE-2019-20517

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.

6.1CVSS

5.9AI Score

0.001EPSS

2020-03-19 06:15 PM

cve

CVE-2019-20518

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.

6.1CVSS

5.9AI Score

0.001EPSS

2020-03-19 06:15 PM

cve

CVE-2019-20519

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.

6.1CVSS

5.9AI Score

0.001EPSS

2020-03-19 06:15 PM

cve

CVE-2019-20520

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.

6.1CVSS

5.9AI Score

0.001EPSS

2020-03-19 06:15 PM

cve

CVE-2019-20521

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.

6.1CVSS

5.9AI Score

0.001EPSS

2020-03-19 06:15 PM

cve

CVE-2020-6145

An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

8.8CVSS

8.9AI Score

0.001EPSS

2020-08-10 02:15 PM

cve

CVE-2022-23055

In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat m...

6.5AI Score

0.001EPSS

2022-06-22 09:15 AM

cve

CVE-2022-23056

In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.

5.7AI Score

0.0004EPSS

2022-06-22 08:15 AM

cve

CVE-2022-23057

In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.

5.4CVSS

5.6AI Score

0.001EPSS

2022-06-22 08:15 AM

cve

CVE-2022-23058

ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.

5.4AI Score

0.0004EPSS

2022-06-22 08:15 AM

cve

CVE-2022-28598

Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.

6.1CVSS

5.9AI Score

0.001EPSS

2022-08-22 05:15 PM