Try ERPNext Buy Support Partners Foundation Foundation Members

File Upload XSS

https://cxsecurity.com/issue/WLB-2018060329

POC steps are the following
[+] chose web siite and signup .
[+] go to update profile : https://www.your-erpnext.com/update-profile?name=
[+] chose your Ev!l & upload it & go to :/files/yours

Added github issue at https://github.com/frappe/frappe/issues/5768

2 Likes

Thanks for notifying

Please report security issues at report@erpnext.com

Thanks!

Yeah, I just stumbled across the post - the disclosure wasn’t made by me. Since it was already public, I figured the best place to get visibility was the forum and an issue.

One idea is to add a security.MD file to help promote responsible disclosures. Electron has a good example: https://github.com/electron/electron/blob/master/SECURITY.md

The foundation could also look at applying for a free HackerOne license to help coordinate disclosures: https://www.hackerone.com/product/community

https://erpnext.com/reporting-security-vulnerabilities :slight_smile:

Perhaps this can be added in the ReadMe as well.

I looked in the repos, erpnext.org, and frappe.io. Looks like it was on erpnext.com (though I’m not sure how to actually reach that page through the navigation without a direct link).

I’m just stating the experience I went through trying to find the security disclosure contact information for the project. I don’t know what others think. You can make the call as to where to place the information.

1 Like