CVE-2023-54345 – ERPNext

CVSS 8.8 IMPORTANT

“A sandbox escape turns trusted users into full system attackers.”

This patch addresses a high-impact remote code execution vulnerability in Frappe Framework ERPNext 13.4.0. The issue stems from a sandbox escape in RestrictedPython, allowing authenticated users with System Manager privileges to break out of intended restrictions. By abusing frame introspection, attackers can execute arbitrary OS commands through server-side scripting functionality.

CVE-2023-54345 has a CVSS score of 8.8, which is High severity.

Proof-of-concept exploitation is publicly available, confirming that this vulnerability can be reliably leveraged. While it requires authenticated access, the ability to execute arbitrary code results in complete system compromise, including access to sensitive data and backend infrastructure.

Key Details

Affected Product: Frappe Erpnext
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
CWE Classification: CWE-94

Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.

CVE-2023-54345 – ERPNext

Key Details

Stay Tuned

PLATFORM

SOLUTIONS

RESOURCES

COMPANY

LEGAL

CONTACTS

+1-346-444-8530

Toll Free: 833-444-8530

708 Main St, 10th FL, Houston, TX 77002