CVE-2022-23055

CVE-2022-23055: ERPNext - Improper user access conrol

Vendor Frappe

Product frappe

Weakness CWE-862 · Missing authorization

Published June 22, 2022

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.

Key dates

02Disclosure timeline

June 22, 2022 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-23055 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

Identifiers

CVE CVE-2022-23055

CWE CWE-862

Affected versions

Vendor Frappe

Product frappe

Affected ≥ v11.0.3-beta.1 and < unspecified

Vendor Frappe

Product frappe

Affected ≥ unspecified and ≤ v13.14.1

CVE-2022-23055: ERPNext - Improper user access conrol

01Description

02Disclosure timeline

03References

04Related CVE