CVE-2019-25312

MEDIUM

InoERP 0.7.2 - Unauthenticated Stored Cross-Site Scripting in Comment Section

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25312. PoCs published by strider.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in InoERP 0.7.2, where the comment section fails to properly sanitize user input, allowing arbitrary JavaScript execution. The PoC uses an `<img>` tag with an `onerror` event to trigger an alert with the user's cookies.

Description

InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. Attackers can submit comments with JavaScript payloads that execute in other users' browsers, potentially stealing cookies and session information.

Exploits (1)

exploitdb WORKING POC
by strider · textwebappsphp
https://www.exploit-db.com/exploits/47428

This exploit demonstrates a persistent XSS vulnerability in InoERP 0.7.2, where the comment section fails to properly sanitize user input, allowing arbitrary JavaScript execution. The PoC uses an `<img>` tag with an `onerror` event to trigger an alert with the user's cookies.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: InoERP 0.7.2
No auth needed
Prerequisites: Access to the comment section of the target InoERP instance
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/47428
Various Sources product
http://inoideas.org/
Various Sources product
https://github.com/inoerp/inoERP

Scores

CVSS v3 5.4
EPSS 0.0022
EPSS Percentile 13.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
inoideas/inoerp 0.7.2
Published Feb 11, 2026
Tracked Since Feb 18, 2026