Exploit Details
Basic Information
| Exploit Title | ERPNext 14.82.1 – Account Takeover via Cross-Site Request Forgery (CSRF) |
|---|---|
| Exploit ID | EDB-ID:52283 |
| Type | exploitdb |
| Published | 2025-05-06T00:00:00 |
| Modified | 2025-05-06T00:00:00 |
CVSS Information
| CVSS Score | 0.0 |
|---|---|
| Severity | NONE |
| Vector | NONE |
CVE Information
- CVE-2025-28062
Exploit Description
Exploit Code
# Google Dork: inurl:”/api/method/frappe”
# Date: 2025-04-29
# Exploit Author: Ahmed Thaiban (Thvt0ne)
# Vendor Homepage: https://erpnext.com
# Software Link: https://github.com/frappe/erpnext
# Version: <= 14.82.1, 14.74.3 (Tested)
# Tested on: Linux (Ubuntu 20.04), Chrome, Firefox.
# CVE : CVE-2025-28062
# Category: WebApps
# Description:
A Cross-Site Request Forgery (CSRF) vulnerability Lead to Account Takeover exists in ERPNext 14.82.1 and 14.74.3. This flaw allows an attacker to perform unauthorized state-changing operations on behalf of a logged-in administrator without their knowledge or consent.
Affected endpoints include:
– /api/method/frappe.desk.reportview.delete_items
– /api/method/frappe.desk.form.save.savedocs
Impact:
– Deletion of arbitrary users
– Unauthorized role assignment
– Account takeover via password change
The application fails to enforce CSRF tokens on administrative API requests, violating OWASP recommendations.
—
# PoC 1: Delete a User
Delete User
—
# PoC 2: Assign Role
Assign Role to User
—
# PoC 3: Reset Password
Reset User Password
—
# Mitigation:
– Enforce CSRF protection for all administrative endpoints
– Require POST methods for state changes
– Mark cookies as SameSite=Strict
– Implement re-authentication for critical user changes
—
# Disclosure Timeline:
– 2025-02-09: Vulnerability discovered
– 2025-02-10: Reported to Frappe (no response)
– 2025-04-29: Public disclosure via CVE + advisory
—
# Author Contact:
LinkedIn: https://linkedin.com/in/ahmedth
GitHub: https://github.com/Thvt0ne
# References:
– https://owasp.org/www-community/attacks/csrf