Vulnerability Description
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Frappe | Erpnext | >= 11.0.4, < 13.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/cExploitThird Party Advisory
- https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/cExploitThird Party Advisory
- https://www.mend.io/vulnerability-database/CVE-2022-23055ExploitPatchThird Party Advisory
- https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/cExploitThird Party Advisory
- https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/cExploitThird Party Advisory
- https://www.mend.io/vulnerability-database/CVE-2022-23055ExploitPatchThird Party Advisory
FAQ
What is CVE-2022-23055?
CVE-2022-23055 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to an...
How severe is CVE-2022-23055?
CVE-2022-23055 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23055?
Check the references section above for vendor advisories and patch information. Affected products include: Frappe Erpnext.