Erpnext@* Security Vulnerabilities and Issues — Erpnext@* CVE List

Lucene search

FrappeErpnext*

5 matches found

CVE•added 2022/06/22 8:15 a.m.•78 views

CVE-2022-23056

In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.

3.5CVSS5.7AI score0.00226EPSS

CVE•added 2022/06/22 9:15 a.m.•64 views

CVE-2022-23055

In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat m...

5.5CVSS6.3AI score0.00261EPSS

CVE•added 2022/06/22 8:15 a.m.•55 views

CVE-2022-23058

ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.

3.5CVSS5.3AI score0.00226EPSS

CVE•added 2022/06/22 8:15 a.m.•49 views

CVE-2022-23057

In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.

5.4CVSS5.6AI score0.00195EPSS

CVE•added 2018/12/11 5:29 p.m.•32 views

CVE-2018-20061

A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that call...

7.5CVSS7.8AI score0.00264EPSS