CVE-2022-23056: ERPNext - Stored XSS leads to account takover
First published: Wed Jun 22 2022(Updated: )
In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.
Credit: vulnerabilitylab@mend.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Frappe ERPNext | >=13.0.1<13.30.0 | |
| Frappe ERPNext | =13.0.0-beta13 | |
| Frappe ERPNext | =13.0.0-beta14 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-23056?
The severity of CVE-2022-23056 is medium with a severity value of 5.4.
How does the vulnerability CVE-2022-23056 affect ERPNext?
In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page.
What is the risk of storing XSS in ERPNext Patient History?
The risk of Stored XSS in ERPNext Patient History is that it allows a low privilege user to conduct an account takeover attack.
What is the affected software for CVE-2022-23056?
The affected software for CVE-2022-23056 is Frappe ERPNext versions v13.0.0-beta.13 through v13.30.0.
How can I fix the vulnerability CVE-2022-23056?
To fix the vulnerability CVE-2022-23056, it is recommended to upgrade to a version higher than v13.30.0.
- agent/references
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/frappe
- canonical/frappe erpnext
- version/frappe erpnext/13.0.1
- version/frappe erpnext/13.0.0-beta13
- version/frappe erpnext/13.0.0-beta14