CVE-2022-23055

{"id": "CVE-2022-23055", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2022-06-22T09:15:08.007", "references": [{"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134", "tags": ["Exploit", "Third Party Advisory"], "source": "vulnerabilitylab@mend.io"}, {"url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155", "tags": ["Exploit", "Third Party Advisory"], "source": "vulnerabilitylab@mend.io"}, {"url": "https://www.mend.io/vulnerability-database/CVE-2022-23055", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "vulnerabilitylab@mend.io"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "vulnerabilitylab@mend.io", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users."}, {"lang": "es", "value": "En ERPNext, versiones v11.0.0-beta hasta v13.0.2, son vulnerables a una falta de autorizaci\u00f3n, en la funcionalidad chat rooms. Un atacante poco privilegiado puede enviar un mensaje directo o un mensaje de grupo a cualquier miembro o grupo, haci\u00e9ndose pasar por el administrador. El atacante tambi\u00e9n puede leer los mensajes de chat de grupos a los que no pertenece, y de otros usuarios"}], "lastModified": "2023-11-07T03:44:02.040", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BBF3D7E6-2B29-4142-A007-F699140D1C9A", "versionEndExcluding": "13.1.0", "versionStartIncluding": "11.0.4"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B76E3184-E14E-485B-A108-C1F24850F77E"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta10:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C9DCB37E-061E-44D6-A686-6464B5BE54D2"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta11:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93C2D6DF-B4E5-434B-8632-DB1DF10CE5E9"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta12:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0C6F3220-13B5-4504-87DB-09495E5E1386"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta13:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D6AFF494-240F-4981-B4EC-24771A6E1E4C"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta14:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "69D3FEA8-FC3F-434E-AFA6-D03D8EFAC524"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta15:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9D81630-3EE2-498E-9A76-0F0C1CDD1A15"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta16:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3367D0E-5701-4FCA-8307-0FA7D25D71E3"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta17:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1DBD878F-935B-427F-B6DF-4DA4356E9843"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta18:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DAE5DFE4-55B8-4F68-8C3A-2CDC13D8A735"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta19:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F22BFC9-CA3D-4B57-AD93-1B5094D69508"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FE5E71D9-CCD4-47F4-9AC8-4E4A112E9C0A"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta20:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CA394555-C3A0-4142-B023-60A9014C87E8"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta21:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B5C737A-A824-4E7D-A8D6-A0E0A4AE710A"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta22:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33E4D6A6-2F64-4DB8-9946-5E54FE889E6C"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta23:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AAD166B-0B54-4D74-A61D-A17F34C403F6"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta24:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2856944B-7178-414D-B485-5B8C4D88E95D"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta25:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27EE33DF-6485-463D-BB51-33D4295D3E55"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta26:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FBEED6D7-3EA2-4BC0-B7F8-5F104F90EB82"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta27:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5E9A6A8-A210-467F-888C-1327C8E5F5D0"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta28:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97CA5919-E7B0-417B-BF91-6B407F83F167"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta29:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0C2C925-F3D3-4C5D-A281-2BE62F32BB52"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0411AA32-05B2-49C2-A0DC-8F74BDABCA3B"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta30:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31D7C223-4E62-41E1-A88F-54DF1DFA9C75"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta31:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1686CCA-6C44-425C-B851-D429A5C550CF"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta32:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "873CA32C-42A6-4531-838A-E4B584AB389D"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta33:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B6D20B-863A-48C0-8600-BE768498DBFF"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta34:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6CA04572-0978-4378-A658-15896AFDEBFC"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta35:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8697CA97-1F21-4158-9773-BB67A250BDD7"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta36:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7746744-C5D1-459E-9574-ADC2FD24CED8"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta37:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1F61D01B-BB6D-4A4E-9774-BEC19997A733"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE9DFDFA-9387-46C2-BC9C-58A90713F0E6"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86661EEC-799A-404B-A847-D91A00403F3C"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2AFA67C7-6829-4160-A7C8-B3DD56E60CF3"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90E1D4DA-2D89-4CD5-B34F-33D96BD2C341"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B4BE801-0FF0-4B44-8DCF-E2805DCC39A6"}, {"criteria": "cpe:2.3:a:frappe:erpnext:11.0.3:beta9:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4AE27CF-FCAF-4491-AAC1-8EB5E5C5FD6A"}], "operator": "OR"}]}], "sourceIdentifier": "vulnerabilitylab@mend.io"}