A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.
History

Tue, 17 Jun 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe erpnext
CPEs cpe:2.3:a:frappe:erpnext:14.74.3:*:*:*:*:*:*:*
cpe:2.3:a:frappe:erpnext:14.82.1:*:*:*:*:*:*:*
Vendors & Products Frappe
Frappe erpnext

Tue, 13 May 2025 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 05 May 2025 16:15:00 +0000

Type Values Removed Values Added
Description A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-05-05T00:00:00.000Z

Updated: 2025-05-13T19:10:01.268Z

Reserved: 2025-03-11T00:00:00.000Z

Link: CVE-2025-28062

cve-icon Vulnrichment

Updated: 2025-05-13T19:09:38.855Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-05T16:15:51.310

Modified: 2025-06-17T14:13:04.563

Link: CVE-2025-28062

cve-icon Redhat

No data.