ERPNext 15.67.0 / Frappe 15.72.4 Cross Site Scripting

2025.10.05
Credit: Mohammed Aloli
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2025-56379
CWE: N/A

# CVE-2025-56379 — Stored Cross-Site Scripting (XSS) in ERPNext 15.67.0 / Frappe 15.72.4 📌 **Summary** A stored Cross‑Site Scripting (XSS) vulnerability exists in the Blog module of ERPNext (v15.67.0) / Frappe (v15.72.4). An authenticated user who can create or edit blog posts may inject crafted HTML/JavaScript into the `content` field. That payload is stored and will execute in the browser of any user who views the blog-post page, allowing arbitrary script execution, information disclosure, denial of service, and other client-side attacks. Admin privileges are **not** strictly required — any user with permission to create/edit blog posts may exploit it. --- ## 🛠 Technical Details * **Vulnerability Type:** Stored Cross‑Site Scripting (CWE‑79) * **Affected Product(s):** ERPNext / Frappe * **Affected Versions (reported):** * Frappe — **15.72.4** * ERPNext — **15.67.0** * **Affected Component:** ERPNext Blog Module * **Route:** `/app/blog-post/<blog_name>` * **Vulnerable Field:** `content` (blog post creation / edit form) * **Attack Type:** Remote (requires authentication and blog-post creation privileges) * **Severity:** High (client-side code execution, data theft, session hijacking possibility) * **Estimated CVSS v3.1 Score:** **7.5 (High)** — *estimate; authoritative assigner should compute final score* * **Status:** Not fixed (as reported) * **Discovered by:** Mohammed Aloli * **Date Discovered:** Not specified * **CVE ID:** **CVE-2025-56379** --- ## 🚀 Proof of Concept (PoC) — Stored XSS > **Only test in authorized / lab environments. Do NOT run against systems you do not own or have explicit permission to test.** **Steps to reproduce** 1. Authenticate to the target ERPNext instance as a user with permission to create/edit blog posts. 2. Navigate to blog-post creation/edit route for a blog, e.g.: ``` /app/blog-post/<blog_name> ``` <img width="709" height="829" alt="image" src="https://github.com/user-attachments/assets/f3b4a0a0-5726-4601-a4bb-62f113f7244f" /> 3. In the **content** field insert the payload and save the post: ```html <img src=x onerror=alert("xss")> ``` 4. Open the blog-post page (`/app/blog-post/<blog_name>`) as another user (or same user in a fresh browser). The payload executes in the viewer’s browser (here, `alert("xss")`). **Notes:** the PoC uses a simple `onerror` alert. Real attacks could exfiltrate cookies, perform actions on behalf of the victim, or load remote scripts (subject to CSP and cookie flags). --- ## 🧪 Exploitation Scenario An attacker who can create or edit blog posts stores a malicious script in the `content` field. Any user — including administrators — who visits the blog-post page will execute the attacker's script in their browser context. Consequences include session theft (if cookies are not `HttpOnly`), forced actions in the victim’s session, data exfiltration from pages the attacker can access, UI redress attacks, and potential DoS of client-side components. --- ## 🔐 Mitigation Recommendations 1. **Sanitize/encode stored HTML** — Sanitize the `content` HTML on input and/or escape on output using a secure HTML sanitizer that removes dangerous tags and attributes (remove `on*` attributes, `javascript:` URIs, `<script>`, `<iframe>`, etc.). Prefer well‑maintained libraries. 2. **Whitelist (allowlist) HTML** — Only permit a minimal set of safe tags/attributes required for formatting (e.g., `<p>`, `<b>`, `<i>`, `<ul>`, `<li>`, `<a href>` with strict href validation). Disallow inline event handlers. 3. **Content Security Policy (CSP)** — Deploy a strict CSP to reduce the impact of XSS (restrict script sources, avoid `'unsafe-inline'`, use nonce/hash-based script allowances where necessary). 4. **Server-side enforcement** — Enforce sanitization on the server before storing content (don’t rely solely on client-side checks). 5. **HttpOnly & SameSite cookies** — Ensure session cookies are `HttpOnly` and set appropriate `SameSite` attributes to reduce cookie theft and CSRF-like risks. 6. **Least privilege for content creation** — Limit who can create/edit blog posts and audit those permissions. 7. **Contextual encoding** — Encode user-supplied content correctly when inserted into HTML attributes, JS contexts, or URLs. 8. **Reject unsafe input** — Consider rejecting or stripping dangerous attributes and tags at save time, logging blocked attempts. 9. **Testing & monitoring** — Add unit/integration tests to assert sanitization behavior. Monitor logs for suspicious post creation/editing activity. 10. **Patch release** — Developers should update the sanitization pipeline in Frappe/ERPNext and publish a security update; operators should apply updates promptly. --- ## 🔗 References * ERPNext GitHub: `https://github.com/frappe/erpnext` * Frappe Framework GitHub: `https://github.com/frappe/frappe` * OWASP XSS Prevention Cheat Sheet: `https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html` * NVD / CVE database — check for **CVE-2025-56379** entry when published --- ## 🙏 Acknowledgments author : Mohammed Aloli --- ## 📢 Disclaimer This write-up is intended for defensive, remediation, and awareness purposes only. Do **not** attempt to exploit this vulnerability against systems you do not own or have explicit authorization to test. If you operate ERPNext/Frappe, apply fixes, enforce sanitization, and follow the mitigation guidance above.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2025, cxsecurity.com

 

Back to Top