Lucene search

[email protected]CVE-2022-23055

HistoryJun 22, 2022 - 9:15 a.m.

CVE-2022-23055

2022-06-2209:15:08

CWE-862

[email protected]

web.nvd.nist.gov

erpnext

vulnerability

authorization

chat rooms

cve-2022-23055

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.2%

JSON

In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.

Affected configurations

NVD

Node

frappeerpnextRange11.0.4–13.1.0

frappeerpnextMatch11.0.3beta1

frappeerpnextMatch11.0.3beta10

frappeerpnextMatch11.0.3beta11

frappeerpnextMatch11.0.3beta12

frappeerpnextMatch11.0.3beta13

frappeerpnextMatch11.0.3beta14

frappeerpnextMatch11.0.3beta15

frappeerpnextMatch11.0.3beta16

frappeerpnextMatch11.0.3beta17

frappeerpnextMatch11.0.3beta18

frappeerpnextMatch11.0.3beta19

frappeerpnextMatch11.0.3beta2

frappeerpnextMatch11.0.3beta20

frappeerpnextMatch11.0.3beta21

frappeerpnextMatch11.0.3beta22

frappeerpnextMatch11.0.3beta23

frappeerpnextMatch11.0.3beta24

frappeerpnextMatch11.0.3beta25

frappeerpnextMatch11.0.3beta26

frappeerpnextMatch11.0.3beta27

frappeerpnextMatch11.0.3beta28

frappeerpnextMatch11.0.3beta29

frappeerpnextMatch11.0.3beta3

frappeerpnextMatch11.0.3beta30

frappeerpnextMatch11.0.3beta31

frappeerpnextMatch11.0.3beta32

frappeerpnextMatch11.0.3beta33

frappeerpnextMatch11.0.3beta34

frappeerpnextMatch11.0.3beta35

frappeerpnextMatch11.0.3beta36

frappeerpnextMatch11.0.3beta37

frappeerpnextMatch11.0.3beta4

frappeerpnextMatch11.0.3beta5

frappeerpnextMatch11.0.3beta6

frappeerpnextMatch11.0.3beta7

frappeerpnextMatch11.0.3beta8

frappeerpnextMatch11.0.3beta9

CPENameOperatorVersion
frappe:erpnextfrappe erpnextlt13.1.0
frappe:erpnextfrappe erpnexteq11.0.3

CPE	Name	Operator	Version
frappe:erpnext	frappe erpnext	lt	13.1.0
frappe:erpnext	frappe erpnext	eq	11.0.3

CNA Affected

[
  {
    "product": "frappe",
    "vendor": "frappe",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "v11.0.3-beta.1",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "v13.14.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134

github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155

www.mend.io/vulnerability-database/CVE-2022-23055

Social References

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.2%

JSON

Related for CVE-2022-23055

osv1 prion1 cvelist1 nvd1