CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23057 – ERPNext - Stored XSS in My Profile
https://notcve.org/view.php?id=CVE-2022-23057
22 Jun 2022 — In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile. En ERPNext, versiones v12.0.9--v13.0.3, son vulnerables a un ataque de tipo Cross-Site-Scripting (XSS) Almacenado, debido a que las entradas del usuario no son comprobados apropiadamente. Un atacante poco privilegiado podría inyectar código arbitrario en los campos de entrad... • https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 9EXPL: 0CVE-2020-35175
https://notcve.org/view.php?id=CVE-2020-35175
11 Dec 2020 — Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API. Frappe Framework versiones 12 y 13, no comprueban apropiadamente el método HTTP para la API frappe.client • https://github.com/frappe/frappe/pull/11228 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-27508
https://notcve.org/view.php?id=CVE-2020-27508
11 Dec 2020 — In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security. En la autenticación de doble factor, el sistema también envía una clave secreta 2fa en respuesta, lo que permite a un intruso violar la seguridad 2fa • https://github.com/frappe/frappe/pull/11262 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-6145
https://notcve.org/view.php?id=CVE-2020-6145
10 Aug 2020 — An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability. Se presenta una vulnerabilidad de inyección SQL en la funcionalidad frappe.desk.reportview.get de ERPNext versión 11.1.38. Una petición HTTP especialmente diseñada puede causar una inyección SQL. • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1091 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-20521
https://notcve.org/view.php?id=CVE-2019-20521
19 Mar 2020 — ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI. ERPNext versión 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI api/. • https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-20520
https://notcve.org/view.php?id=CVE-2019-20520
19 Mar 2020 — ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI. ERPNext versión 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI api/method/ • https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-20519
https://notcve.org/view.php?id=CVE-2019-20519
19 Mar 2020 — ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address. ERPNext versión 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI user/, como es demostrado por una dirección de correo electrónico diseñada. • https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-20518
https://notcve.org/view.php?id=CVE-2019-20518
19 Mar 2020 — ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI. ERPNext versión 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI project/. • https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-20517
https://notcve.org/view.php?id=CVE-2019-20517
19 Mar 2020 — ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI. ERPNext versión 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI contact/. • https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-20516
https://notcve.org/view.php?id=CVE-2019-20516
19 Mar 2020 — ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI. ERPNext versión 11.1.47, permite un ataque de tipo XSS reflejado por medio del PATH_INFO en el URI blog/. • https://www.netsparker.com/web-applications-advisories/ns-19-017-cross-site-scripting-in-erpnext • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •