Frappe: >> Erpnext Security Vulnerabilities
In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-06-22
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
CVSS Score
3.5
EPSS Score
0.002
Published
2022-06-22
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS Score
6.4
EPSS Score
0.017
Published
2020-08-10
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19