File Upload XSS

https://cxsecurity.com/issue/WLB-2018060329

POC steps are the following
[+] chose web siite and signup .
[+] go to update profile : https://www.your-erpnext.com/update-profile?name=
[+] chose your Ev!l & upload it & go to :/files/yours

Added github issue at File Upload XSS · Issue #5768 · frappe/frappe · GitHub

Thanks for notifying

Please report security issues at report@erpnext.com

Thanks!

Yeah, I just stumbled across the post - the disclosure wasn’t made by me. Since it was already public, I figured the best place to get visibility was the forum and an issue.

One idea is to add a security.MD file to help promote responsible disclosures. Electron has a good example: electron/SECURITY.md at main · electron/electron · GitHub

The foundation could also look at applying for a free HackerOne license to help coordinate disclosures: https://www.hackerone.com/product/community

Not Found

Perhaps this can be added in the ReadMe as well.

I looked in the repos, erpnext.org, and frappe.io. Looks like it was on erpnext.com (though I’m not sure how to actually reach that page through the navigation without a direct link).

I’m just stating the experience I went through trying to find the security disclosure contact information for the project. I don’t know what others think. You can make the call as to where to place the information.