CVE-2022-28598 PoC — ERPNext 跨站脚本漏洞

Source

Associated Vulnerability

Description

Persistent XSS on 'last_known_version' field (My Settings)

Readme

#ERPNext - 12.29.0

Stored cross-site scripting (XSS) vulnerability in the "last_known_version" field found in the "My Setting" page in ERPNext 12.29.0 allows remote attackers to inject arbitrary web script or HTML via a crafted site name by doing an authenticated POST HTTP request to '/desk#Form/User/(Authenticated User)' and inject the script in the 'last_known_version' field where we are able to view the script by clicking the 'pdf' view form.

This vulnerability is specifically the "last_known_version" field found under the 'My Settings' where we need to first save the my settings.
![alt text](https://github.com/patrickdeanramos/CVE-2022-28598/blob/main/ErpNext-1.png?raw=True)

Under the ‘last_known_version’ field we are going to inject our malicious script.
![alt text](https://github.com/patrickdeanramos/CVE-2022-28598/blob/main/ErpNext-2.png?raw=True)

To view our injected script we need to click the view pdf page, and as seen below we have successfully injected our script.
![alt text](https://github.com/patrickdeanramos/CVE-2022-28598/blob/main/ErpNext-3.png?raw=True)

Authors:<br>
Patrick Dean Ramos<br>
Nathu Nandwani<br>
Junnair Manla<br>

File Snapshot

 [4.0K]  /data/pocs/b09b1e6e93b438c142b8e6a1bd485208b9cb70c5
├── [497K]  ErpNext-1.png
├── [1.1M]  ErpNext-2.png
├── [660K]  ErpNext-3.png
└── [1.1K]  README.md

0 directories, 4 files

Remarks