CVE-2019-25312

MEDIUM

InoERP 0.7.2 - XSS

Title source: llm

Description

InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. Attackers can submit comments with JavaScript payloads that execute in other users' browsers, potentially stealing cookies and session information.

Exploits (1)

exploitdb WORKING POC

by strider · textwebappsphp

https://www.exploit-db.com/exploits/47428

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/47428

[Various Sources] http://inoideas.org/

[Various Sources] https://github.com/inoerp/inoERP

[Third Party Advisory] https://www.vulncheck.com/advisories/inoerp-persistent-cross-site-scripting

Scores

CVSS v3 5.4

EPSS 0.0011

EPSS Percentile 29.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

inoideas/inoerp 0.7.2

Published Feb 11, 2026

Tracked Since Feb 18, 2026