v33ru
1
in the erpnext demo in below link
https://demo.erpnext.com/desk#Form/Asset%20Repair/ARLOG-00001
and functionality “Comment” is vulnerable to XSS like Stored , Reflected , Cookie , possible for more
and follow the below images
to get confirm
impact: An attacker can use this vulnerability to inject malicious code into the application, which will execute in the browser of any user who is viewing the relevant application content. The attacker code can perform wide variety of actions such as stealing the target user cookies or performing actions on their behalf and also can capture the keystrokes of the user.
2 Likes
Thanks for reporting. We will fix it soon. You can follow it’s development here: XSS Vulnerability in comment area · Issue #5546 · frappe/frappe · GitHub
felix
3
This has been assigned a CVE - CVE-2018-11339
More details are available at https://exchange.xforce.ibmcloud.com/vulnerabilities/143723
I’m facing same issue in V13 please guide anyone how to resolve this one?
@netchampfaris
please guide how to solve this, we faced vulnerability to inject malicious code into the application
This issue is fixed ?? becuase it is coming in version15 as well?