Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was detected in Devs Palace ERP Online up to 4.0.0. This affects an unknown function of the file /inventory/customer-save. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Reflected cross-site scripting in Devs Palace ERP Online up to version 4.0.0 allows authenticated high-privilege users to inject malicious scripts via the /inventory/customer-save endpoint, requiring user interaction to execute. Despite public exploit availability and early vendor notification, no patch or vendor response has been documented. CVSS score of 1.9 reflects high authentication requirements and limited impact scope, though the presence of public exploit code indicates practical demonstration of the vulnerability.
Technical ContextAI
The vulnerability is a reflected XSS flaw (CWE-79) in the customer save functionality of an ERP web application. The /inventory/customer-save endpoint fails to properly sanitize or encode user-supplied input before rendering it in responses, allowing attackers to inject arbitrary JavaScript. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which describes failures in output encoding that enable script injection attacks in web applications. The attack vector is network-based, but exploitation is constrained by high privilege requirements (PR:H) and user interaction (UI:P), indicating the attacker must have administrative or elevated credentials and the victim must trigger the attack.
RemediationAI
Upgrade Devs Palace ERP Online to a version newer than 4.0.0 if available from the vendor; however, given the vendor's non-response to early disclosure notification, patch availability is uncertain and should be verified directly with the vendor or through the application's update mechanism. If no patched version is available, implement compensating controls: restrict network access to the /inventory/customer-save endpoint using a Web Application Firewall (WAF) to block requests containing script tags or event handlers (e.g., block payloads matching '<script', 'onerror=', 'onload='); configure Content Security Policy (CSP) headers to prevent inline script execution (policy-directive: script-src 'self'; note this may break legitimate functionality depending on application design); restrict administrative user accounts to trusted IP ranges and monitor admin account activity for anomalous access patterns; and consider disabling or removing the ERP Online application if it is no longer actively maintained and alternative solutions are available. Each control has trade-offs: WAF rules may cause false positives and require tuning, CSP implementation may require application code changes, and IP whitelisting reduces mobility but increases network friction.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28957
GHSA-w263-9cg4-874f