A critical vulnerability has been identified in ERPNext and Frappe Framework that allows an attacker to embed malicious code within an uploaded user avatar image. When a privileged user, such as an administrator, views the malicious avatar, the code executes, potentially allowing the attacker to take over the administrator's account and gain full control of the ERP system. This could lead to significant data theft, operational disruption, and financial loss.

The vulnerability is a stored cross-site scripting (XSS) flaw caused by improper input validation of Scalable Vector Graphics (SVG) files uploaded as user avatars. An attacker can create a malicious SVG file containing a JavaScript payload and upload it as their profile picture. The application fails to sanitize the file, storing the malicious payload on the server. The attack is triggered when a user with elevated privileges, such as an administrator, clicks the link to view the attacker's avatar, causing the embedded JavaScript to execute within the administrator's browser session, in the context of the ERPNext application.

This vulnerability is rated as critical severity with a CVSS score of 9. Successful exploitation could have a severe impact on the business. An attacker could leverage the executed script to steal the administrator's session cookies, leading to a full account takeover. With administrative access, the attacker could escalate privileges, create rogue admin accounts, exfiltrate sensitive business data (e.g., financial records, customer PII, intellectual property), manipulate data, or deploy further malware, resulting in a full compromise of the ERPNext instance and significant reputational and financial damage.

Immediate Action:

• Immediately apply the security patches provided by the vendor to update ERPNext Multiple Products to the latest, non-vulnerable version.
• After patching, review system and web server access logs for any signs of exploitation attempts, such as suspicious SVG file uploads or unusual administrative activity.

Proactive Monitoring:

• Monitor web server logs for requests to user avatar files, particularly those with a .svg extension, followed by unusual API calls or administrative actions from the same source IP.
• Implement file integrity monitoring on the user upload directories to detect the presence of suspicious or malicious files.
• Review audit logs within ERPNext for unexpected changes to user permissions, system configurations, or data exports initiated by administrative accounts.

Compensating Controls:

• If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules to inspect and sanitize SVG file uploads for embedded scripts.
• Temporarily disable the ability for users to upload SVG files as avatars, restricting them to safer formats like PNG or JPG.
• Implement a strict Content Security Policy (CSP) to prevent the execution of inline scripts, which would mitigate the impact of this XSS attack.

Public Exploit Available: false

Given the critical CVSS score of 9 and the potential for a full system compromise, this vulnerability represents a significant risk to the organization. We strongly recommend that the vendor-supplied patches be applied on an emergency basis across all affected ERPNext instances. Although this CVE is not currently listed on the CISA KEV list, its high severity warrants immediate attention. After patching, a thorough review of access and audit logs should be conducted to identify any potential compromise that may have occurred prior to remediation.