CVE-2022-28598
Published: 22 August 2022
Summary
CVE-2022-28598 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Frappe Erpnext. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Frappe ERPNext version 12.29.0 contains a cross-site scripting vulnerability tracked as CVE-2022-28598 and assigned CWE-79. The flaw arises because the application fails to neutralize user-controllable input before embedding it in web pages served to other users, allowing script execution in the context of the affected ERP system. The issue carries a CVSS 3.1 base score of 6.1 reflecting network attack vector, low complexity, no required privileges, required user interaction, and changed scope with limited confidentiality and integrity impact.
An unauthenticated remote attacker can supply crafted input that is later rendered for other users, enabling theft of session tokens, redirection to malicious sites, or other actions within the ERPNext web interface. Public proof-of-concept material, including a Packet Storm entry and an accompanying technical PDF, demonstrates the reflected XSS vector in the 12.29.0 release.
EPSS for the CVE rose from a low baseline to a peak of 0.1520 before receding to the current value of 0.0589, indicating measurable post-disclosure exploitation interest that later subsided. No vendor advisory or patch details appear among the listed references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33040
Vulnerability details
Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.