Vulnerability Description
In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.
CVSS Score
3.5
LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Frappe | Erpnext | >= 13.0.1, < 13.30.0 |
Related Weaknesses (CWE)
References
- https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/PatchThird Party Advisory
- https://www.mend.io/vulnerability-database/CVE-2022-23056ExploitPatchThird Party Advisory
- https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/PatchThird Party Advisory
- https://www.mend.io/vulnerability-database/CVE-2022-23056ExploitPatchThird Party Advisory
FAQ
What is CVE-2022-23056?
CVE-2022-23056 is a vulnerability with a CVSS score of 3.5 (LOW). In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.
How severe is CVE-2022-23056?
CVE-2022-23056 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23056?
Check the references section above for vendor advisories and patch information. Affected products include: Frappe Erpnext.