Stored XSS in ERPnext Demo website

in the erpnext demo in below link
https://demo.erpnext.com/desk#Form/Asset%20Repair/ARLOG-00001

and functionality “Comment” is vulnerable to XSS like Stored , Reflected , Cookie , possible for more

and follow the below images

to get confirm

impact: An attacker can use this vulnerability to inject malicious code into the application, which will execute in the browser of any user who is viewing the relevant application content. The attacker code can perform wide variety of actions such as stealing the target user cookies or performing actions on their behalf and also can capture the keystrokes of the user.

2 Likes

Thanks for reporting. We will fix it soon. You can follow it’s development here: XSS Vulnerability in comment area · Issue #5546 · frappe/frappe · GitHub

This has been assigned a CVE - CVE-2018-11339

More details are available at https://exchange.xforce.ibmcloud.com/vulnerabilities/143723

I’m facing same issue in V13 please guide anyone how to resolve this one?

@netchampfaris
please guide how to solve this, we faced vulnerability to inject malicious code into the application