ERPNext and Frappe Framework Stored Cross-Site Scripting Vulnerability via SVG Avatar Upload

A stored cross-site scripting vulnerability has been identified in ERPNext version 15.83.2 and Frappe Framework version 15.86.0. The issue arises from improper validation of uploaded SVG avatar images, which allows attackers to embed malicious JavaScript. This payload is executed when an administrator clicks the image link to view the avatar, potentially leading to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the avatar, typically an administrator. This could result in executing actions on behalf of the admin, unauthorized access to sensitive information, or manipulation of application data.

Reproduction

To reproduce this vulnerability, upload an SVG file as an avatar that contains embedded JavaScript. Once the file is uploaded, an administrator can view the avatar through its direct link, which will trigger the execution of the embedded script.