ERPNext and Frappe Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in ERPNext version 15.67.0 and Frappe version 15.72.4. This vulnerability exists in the blog post feature, allowing attackers to execute arbitrary web scripts or HTML. The issue arises when a crafted payload is injected into the content field of a blog post, which is then executed in the browser of any user who views the post.

Impact

Exploitation of this vulnerability allows for arbitrary script execution in the context of the user viewing the blog post. This could lead to session hijacking, data theft, and other client-side attacks.

Reproduction

To reproduce this vulnerability, authenticate as a user with permission to create or edit blog posts. Navigate to the blog post creation or edit route, and inject a payload, such as an image tag with an error event handler, into the content field. After saving the post, the injected script will execute when the blog post is viewed.

Remediation

Sanitize and encode stored HTML to remove dangerous tags and attributes. Implement a strict Content Security Policy to mitigate the impact of XSS. Ensure session cookies are set to HttpOnly and have appropriate SameSite attributes. Limit permissions for content creation and regularly audit those permissions.