Frappe: >> Erpnext >> 11.1.47 Security Vulnerabilities
ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation of parameters left certain endpoints vulnerable to error-based SQL Injection. Some information like version could be retrieved. This issue is fixed in versions 14.89.2 and 15.76.0.
CVSS Score
8.1
EPSS Score
0.0
Published
2025-09-06
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.
CVSS Score
5.5
EPSS Score
0.003
Published
2022-06-22
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.
CVSS Score
7.4
EPSS Score
0.003
Published
2020-03-19
Page 1