Frappe Framework and ERPNext Stored Cross-Site Scripting Vulnerability via Arbitrary File Upload

A stored cross-site scripting vulnerability has been identified in the Attachments module of Frappe Framework and ERPNext, both in version 15.89.0. This vulnerability allows users to upload XML or HTML files containing malicious JavaScript. When an administrator accesses the uploaded file through its direct link, the embedded script is executed in the admin's browser, potentially leading to privilege escalation and unauthorized manipulation of application data.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded files containing malicious scripts are executed in the context of the user viewing the file. In this case, if an administrator accesses the file, the script runs with admin privileges, which could be used to perform actions on behalf of the admin or manipulate application data.

Reproduction

To reproduce this vulnerability, log into an affected instance of ERPNext or Frappe Framework. Upload a file with a .XML or .HTM extension through the Attachments feature, ensuring the file contains a malicious JavaScript payload. Once the file is uploaded, an administrator can access it via its direct URL, which will trigger the execution of the embedded script in the admin's browser.