6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
49.2%
# Exploit Title: ERPNext 12.29 - Cross-Site Scripting (XSS)
# Date: 7 Feb 2023
# Exploit Author: Patrick Dean Ramos / Nathu Nandwani / Junnair Manla
#Github - https://github.com/patrickdeanramos/CVE-2022-28598
# Vendor Homepage: https://erpnext.com/
# Version: 12.29
# CVE-2022-28598
Summary: Stored cross-site scripting (XSS) vulnerability was found in ERPNext 12.29 where the
"last_known_version" field found in the "My Setting" page in ERPNext
12.29.0 allows remote attackers to inject arbitrary web script or HTML via
a crafted site name by doing an authenticated POST HTTP request to
'/desk#Form/User/(Authenticated User)' and inject the script in the
'last_known_version' field where we are able to view the script by
clicking the 'pdf' view form.
This vulnerability is specifically the "last_known_version" field found
under the 'My Settings' where we need to first save the my settings.
1. Login as any user
2. Under the βlast_known_versionβ field we are going to inject our
malicious script.
3. To view our injected script we need to click the view pdf page, and as
seen below we have successfully injected our script.