CSRF Vulnerability in ERPNEXT Product by Frappe
CVE-2025-28062

8.1HIGH

Key Information:

Vendor: Frappe
Status: ERPNEXT
Vendor: CVE Published:; 5 May 2025

What is CVE-2025-28062?

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the ERPNEXT application, specifically in versions 14.82.1 and 14.74.3. This vulnerability allows attackers to execute unauthorized actions within the application, such as deleting user accounts, resetting passwords, and escalating user privileges, due to the absence of essential CSRF protections. This lack of validation can potentially lead to significant security breaches and compromise sensitive data.

References

https://github.com/frappe/erpnext

https://github.com/Thvt0ne/CVE-2025-28062

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 5, 2025
Vulnerability Reserved
Mar 11, 2025

JSON