CVSS: 6.4EPSS: 3%CPEs: 1EXPL: 4CVE-2022-28598 – ERPNext 12.29 - Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-28598
22 Aug 2022 — Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. Frappe ERPNext versión 12.29.0, es vulnerable a un ataque de tipo XSS cuando el software no neutraliza o neutraliza incorrectamente la entrada controlable por el usuario antes de colocarla en la salida que es usada como página web que sirve a otros usuarios. ERPNext version 12.29 suffers fr... • https://packetstorm.news/files/id/171730 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 38EXPL: 3CVE-2022-23055 – ERPNext - Improper user access conrol
https://notcve.org/view.php?id=CVE-2022-23055
22 Jun 2022 — In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users. En ERPNext, versiones v11.0.0-beta hasta v13.0.2, son vulnerables a una falta de autorización, en la funcionalidad chat rooms. Un atacante poco pri... • https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134 • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23058 – ERPNext - Stored XSS in My Settings
https://notcve.org/view.php?id=CVE-2022-23058
22 Jun 2022 — ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover. En ERPNext, versiones v12.0.9-v13.0.3, están afectadas por una vulnerabilidad de tipo XSS almacenada que permite a usuarios con pocos privilegios almacenar scripts maliciosos en el campo "username" en "my settings", lo que puede conllevar a una toma de control total de la cuenta • https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23057 – ERPNext - Stored XSS in My Profile
https://notcve.org/view.php?id=CVE-2022-23057
22 Jun 2022 — In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile. En ERPNext, versiones v12.0.9--v13.0.3, son vulnerables a un ataque de tipo Cross-Site-Scripting (XSS) Almacenado, debido a que las entradas del usuario no son comprobados apropiadamente. Un atacante poco privilegiado podría inyectar código arbitrario en los campos de entrad... • https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •