cbcvebase.
CVE-2022-23055
published 2022-06-22

CVE-2022-23055: In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send…

PriorityP426medium5.5CVSS 2.0
AVNACLAuSCPIPAN
EPSS
1.11%
61.8th percentile
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.

Affected

4 ranges
VendorProductVersion rangeFixed in
frappeerpnext
frappeerpnext>= 11.0.4 < 13.1.013.1.0
frappefrappeunspecified – v13.14.1
frappefrappe>= v11.0.3-beta.1 < unspecifiedunspecified
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.