# Exploit Title: ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)
# Google Dork: inurl:"/api/method/frappe"
# Date: 2025-04-29
# Exploit Author: Ahmed Thaiban (Thvt0ne)
# Vendor Homepage: https://erpnext.com
# Software Link: https://github.com/frappe/erpnext
# Version: <= 14.82.1, 14.74.3 (Tested)
# Tested on: Linux (Ubuntu 20.04), Chrome, Firefox.
# CVE : CVE-2025-28062
# Category: WebApps
# Description:
A Cross-Site Request Forgery (CSRF) vulnerability Lead to Account Takeover exists in ERPNext 14.82.1 and 14.74.3. This flaw allows an attacker to perform unauthorized state-changing operations on behalf of a logged-in administrator without their knowledge or consent.
Affected endpoints include:
- /api/method/frappe.desk.reportview.delete_items
- /api/method/frappe.desk.form.save.savedocs
Impact:
- Deletion of arbitrary users
- Unauthorized role assignment
- Account takeover via password change
The application fails to enforce CSRF tokens on administrative API requests, violating OWASP recommendations.
---
# PoC 1: Delete a User
Delete User
Click Here
---
# PoC 2: Assign Role
Assign Role to User
Add Role
---
# PoC 3: Reset Password
Reset User Password
Reset Password
---
# Mitigation:
- Enforce CSRF protection for all administrative endpoints
- Require POST methods for state changes
- Mark cookies as SameSite=Strict
- Implement re-authentication for critical user changes
---
# Disclosure Timeline:
- 2025-02-09: Vulnerability discovered
- 2025-02-10: Reported to Frappe (no response)
- 2025-04-29: Public disclosure via CVE + advisory
---
# Author Contact:
LinkedIn: https://linkedin.com/in/ahmedth
GitHub: https://github.com/Thvt0ne
# References:
- https://owasp.org/www-community/attacks/csrf