Horizon Alert
Summary of the vulnerability and why it matters
This vulnerability in ERPNext allows an attacker to execute code on the server by injecting malicious content into email templates. If an attacker can create or edit these templates, they can potentially compromise the entire system.
- Unauthenticated access from the internet is possible.
- Could lead to a complete system takeover.
- Affects all users of vulnerable ERPNext versions.
Attack Path
How an attacker could exploit the issue
An attacker can exploit this Server-Side Template Injection vulnerability by creating or modifying email templates within ERPNext. When these compromised templates are rendered, the injected code executes on the server, potentially allowing for remote code execution or other malicious actions. This requires an attacker to have existing permissions to manage email templates.
- Requires authenticated access.
- Target is email template creation/editing.
- Server-side code execution is the goal.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability allows attackers to inject code into email templates, which is then executed on the server. While critical, it requires the attacker to have prior authentication and administrative permissions to modify these templates. This significantly limits its reach to external, unauthenticated attackers, making it less likely to be weaponized in widespread attacks.
- Requires authenticated user.
- Limited to privileged actions.
Priority actions
Operational Fix
Recommended remediation, mitigation, and detection steps
Prioritize patching or isolating ERPNext instances vulnerable to Server-Side Template Injection, as unauthenticated attackers can achieve high impact. Review logs for suspicious template activity, especially from administrative interfaces.
- Update ERPNext to a patched version.
- Block access to vulnerable template endpoints.
- Monitor for unauthorized template modifications.
