Advaya Softech GEMS ERP Portal CVE-2025-15170
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in Advaya Softech GEMS ERP Portal up to 2.1. This affects an unknown part of the file /home.jsp?isError=true of the component Error Message Handler. The manipulation of the argument Message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Reflected cross-site scripting (XSS) in Advaya Softech GEMS ERP Portal versions up to 2.1 allows remote attackers to inject malicious scripts via the Message parameter in /home.jsp?isError=true, exploitable without authentication or user interaction beyond viewing a crafted link. Public exploit code is available, though the CVSS score of 2.1 reflects limited integrity impact and requirement for user interaction; the vulnerability is unlikely to see widespread exploitation despite public disclosure due to low EPSS score (0.05%).
Technical ContextAI
The vulnerability exists in the Error Message Handler component within the /home.jsp endpoint. The error message functionality fails to properly sanitize or encode user-supplied input in the Message parameter before reflecting it back in the HTTP response. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). The affected product is identified by CPE 2.3 string as advayasoftech:gems_erp_portal across all versions up to and including 2.1. The attack vector is network-based with no complexity, attack time, or privilege requirements, but depends on user interaction (UI:P) to view the malicious payload, limiting practical exploitation.
RemediationAI
No vendor-released patch has been identified at time of analysis, as the vendor was contacted early about the disclosure but did not respond. Immediate workarounds include: (1) Implement input validation and output encoding on the Message parameter in the Error Message Handler to sanitize all user-supplied data before reflection in HTML context, using HTML entity encoding as minimum; (2) Apply a Web Application Firewall (WAF) rule to detect and block requests containing script tags or event handlers in the Message parameter (trade-off: may break legitimate error messages with special characters); (3) Restrict access to /home.jsp to authenticated users only and implement strong session controls to limit exposure to unauthenticated reflected XSS; (4) If possible, disable the isError=true parameter handling entirely and use server-side error handling instead. For enterprise deployments, contact Advaya Softech directly for security patches, though vendor responsiveness appears limited based on initial disclosure contact.
Share
External POC / Exploit Code
Leaving vuln.today