We found results for “”
CVE-2022-23055
Date: June 22, 2022
Overview
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.Details
The “ERPNext” application is built on “Frappe Framework”, it is affected by Missing Authorization in the chat room functionality. This allows a low privileged user to gain access over the other chat groups and private conversations by modifying the “user” and “room” parameter values in the request. An attacker can make use of the vulnerability and do the following:“Send a direct message/group message” to “any member/group (both member and not a member)” impersonating an “Admin”.
“Read chat messages” of “any individual/group” (being a non-member of the group).
PoC Details
For demonstration purposes, a three different set of user roles were created, beginning from low to high privileged users. The roles are “user1@app.com, manager1@app.com, administrator”.Scenario 1: “Send a direct message/group message” to “any member/group (both member and not a member)” impersonating as an “Admin”:
Login into the application as “Administrator” and create a chat group with all three users. As “user1@app.com”, type a message in the chat box to impersonate the admin. Now intercept the request to “frappe.chat.doctype.chat_message.chat_message.send” and observe the value of parameter “user” in the body. Now modify the value of “user” parameter to “administrator” and forward the request. The message is reflected in the chat box as typed by the “administrator”.
Scenario 2: “Read chat messages” of “any individual/group” (being a non-member of the group):
Here “user1@app.com” is not a member of the group called “Manager and Admin”. To read other individual/group messages click on any conversation in the chat box after intercepting the request in a proxy tool. Now observe the value of the “room” parameter which is being generated in a sequential order. This lets the attacker guess the next values for the parameter “room”. In the request “frappe.chat.doctype.chat_room.chat_room.history”, modify the parameter “room” value to its succeeding or preceding numbers so that the attacker can read the other’s conversation. Now “user1@app.com” can read the conversations of other rooms without any restrictions.
Affected Environments
ERPNext versions v11.0.3-beta through v13.0.2Prevention
Upgrade to ERPNext version v13.1.0Language: Python
Good to know:
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | Low |
User Interaction (UI): | None |
Scope (S): | Unchanged |
Confidentiality (C): | Low |
Integrity (I): | Low |
Availability (A): | None |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Low |
Authentication (AU): | Single |
Confidentiality (C): | Partial |
Integrity (I): | Partial |
Availability (A): | None |
Additional information: |