CVE-2026-8220
Cross-Site Scripting in Devs Palace ERP Online
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devs_palace | erp_online | to 4.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves cross site scripting (XSS) in the /inventory/customer-save endpoint of Devs Palace ERP Online up to version 4.0.0. Detection typically involves monitoring HTTP requests to this endpoint for suspicious input patterns that could trigger XSS.
You can detect attempts by capturing and inspecting HTTP traffic to the affected endpoint. For example, using command-line tools like curl or wget to send test payloads or using network monitoring tools to log requests.
- Use curl to send a test XSS payload to the vulnerable endpoint: curl -X POST -d "input=<script>alert(1)</script>" https://your-erp-domain/inventory/customer-save
- Use a web proxy or network sniffer (e.g., Wireshark, tcpdump) to monitor traffic to /inventory/customer-save and look for suspicious scripts or encoded payloads.
- Check server logs for unusual or unexpected input patterns targeting the /inventory/customer-save path.
Can you explain this vulnerability to me?
This vulnerability exists in Devs Palace ERP Online up to version 4.0.0, specifically in an unknown function within the file /inventory/customer-save. It allows an attacker to perform cross-site scripting (XSS) attacks by manipulating this function. The attack can be executed remotely, meaning an attacker does not need physical access to the system to exploit it.
How can this vulnerability impact me? :
The vulnerability enables remote attackers to perform cross-site scripting attacks, which can lead to the execution of malicious scripts in the context of a user's browser. This can result in unauthorized actions such as stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of the user without their consent.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint, sanitizing and validating all user inputs on the /inventory/customer-save endpoint, and applying web application firewall (WAF) rules to block common XSS payloads.
Since the vendor has not responded and no patch is available, consider the following actions:
- Limit access to the ERP system to trusted users and networks only.
- Implement input validation and output encoding on the server side to prevent script injection.
- Deploy a WAF or intrusion prevention system (IPS) with rules to detect and block XSS attack patterns.
- Monitor logs and network traffic for exploitation attempts.