CVE-2022-28598 PoC — ERPNext 跨站脚本漏洞

Source

https://github.com/patrickdeanramos/CVE-2022-28598

Associated Vulnerability

Title:ERPNext 跨站脚本漏洞 (CVE-2022-28598)
Description:Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.

Description

Persistent XSS on 'last_known_version' field (My Settings)

Readme

#ERPNext - 12.29.0

Stored cross-site scripting (XSS) vulnerability in the "last_known_version" field found in the "My Setting" page in ERPNext 12.29.0 allows remote attackers to inject arbitrary web script or HTML via a crafted site name by doing an authenticated POST HTTP request to '/desk#Form/User/(Authenticated User)' and inject the script in the 'last_known_version' field where we are able to view the script by clicking the 'pdf' view form.

This vulnerability is specifically the "last_known_version" field found under the 'My Settings' where we need to first save the my settings.
![alt text](https://github.com/patrickdeanramos/CVE-2022-28598/blob/main/ErpNext-1.png?raw=True)

Under the ‘last_known_version’ field we are going to inject our malicious script.
![alt text](https://github.com/patrickdeanramos/CVE-2022-28598/blob/main/ErpNext-2.png?raw=True)

To view our injected script we need to click the view pdf page, and as seen below we have successfully injected our script.
![alt text](https://github.com/patrickdeanramos/CVE-2022-28598/blob/main/ErpNext-3.png?raw=True)

Authors:<br>
Patrick Dean Ramos<br>
Nathu Nandwani<br>
Junnair Manla<br>

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!