Stored XSS in ERPnext Demo website

v33ru · May 10, 2018, 11:59am

in the erpnext demo in below link
https://demo.erpnext.com/desk#Form/Asset%20Repair/ARLOG-00001

and functionality “Comment” is vulnerable to XSS like Stored , Reflected , Cookie , possible for more

and follow the below images

to get confirm

impact: An attacker can use this vulnerability to inject malicious code into the application, which will execute in the browser of any user who is viewing the relevant application content. The attacker code can perform wide variety of actions such as stealing the target user cookies or performing actions on their behalf and also can capture the keystrokes of the user.

netchampfaris · May 10, 2018, 3:29pm

Thanks for reporting. We will fix it soon. You can follow it’s development here: XSS Vulnerability in comment area · Issue #5546 · frappe/frappe · GitHub

felix · July 3, 2018, 8:44am

This has been assigned a CVE - CVE-2018-11339

More details are available at https://exchange.xforce.ibmcloud.com/vulnerabilities/143723

Jecintha · August 8, 2022, 4:44am

I’m facing same issue in V13 please guide anyone how to resolve this one?

Jecintha · August 23, 2022, 12:13pm

@netchampfaris
please guide how to solve this, we faced vulnerability to inject malicious code into the application

Rehan_Ansari · August 23, 2024, 7:42am

This issue is fixed ?? becuase it is coming in version15 as well?