CVSS: 5.5EPSS: 0%CPEs: 38EXPL: 3CVE-2022-23055 – ERPNext - Improper user access conrol
https://notcve.org/view.php?id=CVE-2022-23055
22 Jun 2022 — In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users. En ERPNext, versiones v11.0.0-beta hasta v13.0.2, son vulnerables a una falta de autorización, en la funcionalidad chat rooms. Un atacante poco pri... • https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134 • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23058 – ERPNext - Stored XSS in My Settings
https://notcve.org/view.php?id=CVE-2022-23058
22 Jun 2022 — ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover. En ERPNext, versiones v12.0.9-v13.0.3, están afectadas por una vulnerabilidad de tipo XSS almacenada que permite a usuarios con pocos privilegios almacenar scripts maliciosos en el campo "username" en "my settings", lo que puede conllevar a una toma de control total de la cuenta • https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23056 – ERPNext - Stored XSS leads to account takover
https://notcve.org/view.php?id=CVE-2022-23056
22 Jun 2022 — In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack. En ERPNext, versiones v13.0.0-beta.13 hasta v13.30.0, son vulnerables a un ataque de tipo XSS almacenado en la página del historial del paciente, lo que permite a un usuario con pocos privilegios conducir un ataque de toma de control de la cuenta • https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/erpnext/healthcare/page/patient_history/patient_history.js#L288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23057 – ERPNext - Stored XSS in My Profile
https://notcve.org/view.php?id=CVE-2022-23057
22 Jun 2022 — In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile. En ERPNext, versiones v12.0.9--v13.0.3, son vulnerables a un ataque de tipo Cross-Site-Scripting (XSS) Almacenado, debido a que las entradas del usuario no son comprobados apropiadamente. Un atacante poco privilegiado podría inyectar código arbitrario en los campos de entrad... • https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •