CVE-2022-23058

Summary

ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.

Affected Software

VendorProductVersion RangeStatus
frappefrappev12.0.9 < unspecifiedaffected
frappefrappeunspecified <= v13.0.3affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CVE Program Container

Additional References

References