CVE-2019-25312 – CVE-2019-25312 is a persistent cross-site scrip... (How to Fix)

Q: What is the severity of CVE-2019-25312?

CVE-2019-25312 has a CVSS score of 5.4 (MEDIUM). CVE-2019-25312 is a persistent cross-site scripting (XSS) vulnerability in InoERP 0.7.2 that allows unauthenticated attackers to inject malicious JavaScript into comment sections. When other users view these comments, the scripts execute in their browsers, potentially stealing session cookies and sensitive information. All users of InoERP 0.7.2 who access comment functionality are affected.

📋 TL;DR

CVE-2019-25312 is a persistent cross-site scripting (XSS) vulnerability in InoERP 0.7.2 that allows unauthenticated attackers to inject malicious JavaScript into comment sections. When other users view these comments, the scripts execute in their browsers, potentially stealing session cookies and sensitive information. All users of InoERP 0.7.2 who access comment functionality are affected.

💻 Affected Systems

Products:

InoERP

Versions: 0.7.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation with no special configuration required.

📦 What is this software?

Inoerp by Inoideas

View all CVEs affecting Inoerp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full system access, compromise user accounts, and exfiltrate sensitive business data.

🟠

Likely Case

Attackers steal user session cookies to hijack accounts, perform unauthorized actions, and potentially escalate privileges within the application.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before reaching user browsers, preventing execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on Exploit-DB (ID 47428), requiring only web browser access to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: http://inoideas.org/

Restart Required: No

Instructions:

1. Check the InoERP GitHub repository for security updates. 2. Apply any available patches for XSS vulnerabilities. 3. Verify input validation and output encoding are properly implemented.

🔧 Temporary Workarounds

Disable Comment Functionality

all

Temporarily disable or restrict access to comment sections to prevent exploitation.

Modify application configuration to disable comment posting

Implement Web Application Firewall (WAF)

all

Deploy a WAF with XSS protection rules to filter malicious payloads.

Configure WAF rules to block script tags and JavaScript in comment parameters

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to restrict script execution
Deploy network segmentation to isolate the InoERP instance from critical systems

🔍 How to Verify

Check if Vulnerable:

Test by submitting a comment with a simple XSS payload like <script>alert('test')</script> and check if it executes when viewed.

Check Version:

Check the InoERP version in the application interface or configuration files.

Verify Fix Applied:

After applying fixes, repeat the XSS test to confirm scripts no longer execute and are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual comment submissions containing script tags or JavaScript code
Multiple failed login attempts following comment activity

Network Indicators:

Outbound connections to suspicious domains from user browsers after viewing comments

SIEM Query:

search source="web_logs" (comment OR post) AND (script OR javascript OR alert)

📊 Metadata

CVE ID: CVE-2019-25312

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.09% exploit probability (24.9th percentile)

Published: February 11, 2026

Last Updated: March 2, 2026

🔗 References

http://inoideas.org/ Product
https://github.com/inoerp/inoERP Product
https://www.exploit-db.com/exploits/47428 Exploit
https://www.vulncheck.com/advisories/inoerp-persistent-cross-site-scripting Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25312, you might also want to check these: