CVE-2022-23058: ERPNext - Stored XSS in My Settings
First published: Wed Jun 22 2022(Updated: )
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
Credit: vulnerabilitylab@mend.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Frappe ERPNext | >=12.0.9<13.1.0 |
Remedy
Update version to v13.1.0 or later
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-23058?
CVE-2022-23058 is a stored XSS vulnerability in ERPNext versions v12.0.9-v13.0.3.
How can the stored XSS vulnerability in ERPNext be exploited?
The vulnerability allows low privileged users to store malicious scripts in the 'username' field in 'my settings', leading to potential account takeover.
What is the severity of CVE-2022-23058?
CVE-2022-23058 has a severity rating of medium (5.4).
How can I fix the stored XSS vulnerability in ERPNext?
To fix the vulnerability, upgrade ERPNext to versions 13.1.0 or above.
Where can I find more information about CVE-2022-23058?
You can find more information about CVE-2022-23058 in the following references: [GitHub Commit](https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7) and [Mend.io Vulnerability Database](https://www.mend.io/vulnerability-database/CVE-2022-23058).
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/remedy
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/frappe
- canonical/frappe erpnext
- version/frappe erpnext/12.0.9