216.73.217.64

CVE-2025-65267

· Published 03/12/2025 15:15 · Modified 05/12/2025 18:35

Labels: CVE-2025-65267 2025-12-03CVE-2025-65267CWE-79[email protected]

Essential information

Published
03/12/2025 15:15
Modified
05/12/2025 18:35
Author
Creator
CVSS
9.0 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS metrics

Description

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
frappe / erpnext cpe:2.3:a:frappe:erpnext:15.83.2:*:*:*:*:*:*:*
frappe / frappe cpe:2.3:a:frappe:frappe:15.86.0:*:*:*:*:*:*:*

References