Lucene search
HistoryJun 22, 2022 - 8:15 a.m.
CVE-2022-23058
cve-2022-23058
erpnext
stored xss
account takeover
security vulnerability
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.4 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
13.0%
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
Affected configurations
Node
frappeerpnextRange12.0.9–13.1.0
| CPE | Name | Operator | Version |
|---|---|---|---|
| frappe:erpnext | frappe erpnext | lt | 13.1.0 |
CNA Affected
[
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "v12.0.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "v13.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
]References
Social References
More
Related
osv
osv
CVE-2022-23058
2022-06-22 08:15:07
prion
prion
Cross site scripting
2022-06-22 08:15:00
cvelist
cvelist
CVE-2022-23058 ERPNext - Stored XSS in My Settings
2022-05-19 00:00:00
nvd
nvd
CVE-2022-23058
2022-06-22 08:15:07
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.4 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
13.0%
Related for CVE-2022-23058