Erp Online
Monthly
Reflected cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /accounts/mr-save endpoint, enabling session hijacking or credential theft with user interaction. Exploit code is publicly available and the vendor has not responded to disclosure efforts, leaving affected deployments without an official patch.
Cross-site scripting (XSS) vulnerability in Devs Palace ERP Online versions up to 4.0.0 allows authenticated users with high privileges to inject malicious scripts via the /inventory/add_new_customer endpoint. The vulnerability requires user interaction (UI:P) and has publicly available exploit code, but real-world impact is significantly limited by the requirement for authenticated high-privilege access and user interaction, resulting in a CVSS score of only 1.9 despite network accessibility.
Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged users to inject malicious scripts via the /inventory/purchase_save endpoint, affecting the confidentiality of other users' sessions. The vulnerability requires administrative-level privileges and user interaction (UI:R), resulting in a low CVSS score of 2.4, though publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /inventory/supplier-save endpoint, affecting data integrity and confidentiality of other users viewing the supplier data. The vulnerability requires user interaction (UI:P) and high-level privileges (PR:H), limiting its exploitation scope; however, publicly available exploit code exists and the vendor has not responded to disclosure.
Cross-site scripting (XSS) vulnerability in Devs Palace ERP Online up to version 4.0.0 allows authenticated high-privilege users to inject malicious scripts via the /inventory/purchase_return_save endpoint. The vulnerability requires user interaction (UI:P) to trigger, and publicly available exploit code exists. The vendor has not responded to disclosure attempts, leaving affected installations without official guidance or patches.
Cross-site scripting (XSS) in erponline.xyz ERP Online up to version 4.0.0 allows authenticated attackers with high privileges to inject malicious scripts via the Item Name parameter on the Inventory Edit Item Page, requiring user interaction to execute. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification, leaving affected deployments without a patched remediation path.
Reflected cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /accounts/mr-save endpoint, enabling session hijacking or credential theft with user interaction. Exploit code is publicly available and the vendor has not responded to disclosure efforts, leaving affected deployments without an official patch.
Cross-site scripting (XSS) vulnerability in Devs Palace ERP Online versions up to 4.0.0 allows authenticated users with high privileges to inject malicious scripts via the /inventory/add_new_customer endpoint. The vulnerability requires user interaction (UI:P) and has publicly available exploit code, but real-world impact is significantly limited by the requirement for authenticated high-privilege access and user interaction, resulting in a CVSS score of only 1.9 despite network accessibility.
Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged users to inject malicious scripts via the /inventory/purchase_save endpoint, affecting the confidentiality of other users' sessions. The vulnerability requires administrative-level privileges and user interaction (UI:R), resulting in a low CVSS score of 2.4, though publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /inventory/supplier-save endpoint, affecting data integrity and confidentiality of other users viewing the supplier data. The vulnerability requires user interaction (UI:P) and high-level privileges (PR:H), limiting its exploitation scope; however, publicly available exploit code exists and the vendor has not responded to disclosure.
Cross-site scripting (XSS) vulnerability in Devs Palace ERP Online up to version 4.0.0 allows authenticated high-privilege users to inject malicious scripts via the /inventory/purchase_return_save endpoint. The vulnerability requires user interaction (UI:P) to trigger, and publicly available exploit code exists. The vendor has not responded to disclosure attempts, leaving affected installations without official guidance or patches.
Cross-site scripting (XSS) in erponline.xyz ERP Online up to version 4.0.0 allows authenticated attackers with high privileges to inject malicious scripts via the Item Name parameter on the Inventory Edit Item Page, requiring user interaction to execute. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification, leaving affected deployments without a patched remediation path.