CVE-2025-28062: CSRF
First published: Mon May 05 2025(Updated: )
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ERPNext | >=14.74.3<=14.82.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2025-28062?
CVE-2025-28062 is considered a high severity vulnerability due to its ability to allow unauthorized actions like user deletion and privilege escalation.
How do I fix CVE-2025-28062?
To fix CVE-2025-28062, you should update ERPNEXT to the latest version that includes CSRF protections.
Which versions of ERPNEXT are affected by CVE-2025-28062?
CVE-2025-28062 affects ERPNEXT versions 14.82.1 and 14.74.3.
What actions can attackers perform due to CVE-2025-28062?
Attackers can perform unauthorized actions such as user deletion, password resets, and privilege escalation.
How can I protect my ERPNEXT installation from CVE-2025-28062?
Protect your ERPNEXT installation from CVE-2025-28062 by implementing CSRF tokens and regularly updating to secure versions.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/author
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/exploited
- exploited/true
- proof-of-concept/true
- agent/trending
- agent/event
- vendor/frappe
- canonical/erpnext