CVE-2022-28598

MEDIUM

Frappe ERPNext 12.29.0 - Stored Cross-Site Scripting

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-28598. PoCs published by Patrick Dean Ramos / Nathu Nandwani / Junnair Manla, patrickdeanramos.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in ERPNext 12.29, where the 'last_known_version' field in the 'My Settings' page allows arbitrary script injection. The exploit requires authentication and triggers when viewing the PDF form.

Description

Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.

Exploits (2)

exploitdb WRITEUP

by Patrick Dean Ramos / Nathu Nandwani / Junnair Manla · textwebappsjava

https://www.exploit-db.com/exploits/51255

View Code ZIP pw:eip

This is a writeup describing a stored XSS vulnerability in ERPNext 12.29, where the 'last_known_version' field in the 'My Settings' page allows arbitrary script injection. The exploit requires authentication and triggers when viewing the PDF form.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: ERPNext 12.29

Auth required

Prerequisites: Authenticated access to ERPNext · Ability to modify 'My Settings'

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by patrickdeanramos · poc

https://github.com/patrickdeanramos/CVE-2022-28598

View Code ZIP pw:eip

This repository documents a stored XSS vulnerability in ERPNext 12.29.0, where the 'last_known_version' field in the 'My Settings' page can be exploited via an authenticated POST request. The injected script executes when the PDF view is accessed.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: ERPNext 12.29.0

Auth required

Prerequisites: Authenticated access to ERPNext · Ability to modify 'My Settings'

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory

http://erpnext.com

Vendor Advisory

http://frappe.com

Exploit, Third Party Advisory

https://github.com/patrickdeanramos/CVE-2022-28598/blob/main/ERPNext%20-%2012.29.0.pdf

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171730/ERPNext-12.29-Cross-Site-Scripting.html

Scores

CVSS v3 6.1

EPSS 0.0482

EPSS Percentile 90.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

frappe/erpnext 12.29.0

Published Aug 22, 2022

Tracked Since Feb 18, 2026