CVE-2019-25312
Persistent XSS in InoERP 0.7.2 Comment Section Enables Cookie Theft
Publication date: 2026-02-11
Last updated on: 2026-03-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inoideas | inoerp | 0.7.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25312 is a persistent cross-site scripting (XSS) vulnerability found in InoERP version 0.7.2, specifically in the comment section of the application.
This vulnerability allows unauthenticated attackers to inject malicious JavaScript code into comments. Because the application does not properly sanitize or escape user input, the malicious scripts are stored and later executed in the browsers of other users who view the affected comments.
The injected scripts can perform actions such as stealing cookies and session information, which could lead to account hijacking or unauthorized access.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to execute malicious scripts in their browsers when they view compromised comments.
The primary impact includes the theft of cookies and session information, which attackers can use to hijack user accounts and impersonate legitimate users.
Because the vulnerability requires no authentication and has a network attack vector with low complexity, it poses a significant risk to all users interacting with the comment section.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to submit a comment containing a JavaScript payload to the comment section of InoERP version 0.7.2 and then observing if the script executes when the comment is viewed.'}, {'type': 'paragraph', 'content': 'A practical test involves navigating to a forum content page such as: http://your-server-ip/content.php?mode=9&content_type=forum&category_id=7, creating a new question, and submitting a comment with the payload: <img src=# onerror="alert(document.cookie);">. If an alert box showing cookies appears when viewing the comment, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'There are no specific network commands provided in the resources, but manual testing via the web interface with crafted input is the suggested detection method.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting the comment functionality to prevent unauthenticated users from submitting comments until a patch or fix is applied.
Applying proper input sanitization and output encoding on the comment input fields is necessary to neutralize malicious scripts. Since the current function mysql_prep() does not sanitize input, updating the code to use proper escaping functions such as htmlentities or equivalent is critical.
If a patch or updated version of InoERP is available from the vendor or community, upgrading to that version is recommended.
In the absence of an official patch, consider implementing web application firewall (WAF) rules to block suspicious script injections in comments.