Platform
java
Component
gems-erp-portal
Fixed in
2.0.1
2.1.1
A cross-site scripting (XSS) vulnerability has been identified in Advaya Softech's GEMS ERP Portal, impacting versions 2.0 and 2.1. This flaw resides within the Error Message Handler component, specifically the /home.jsp?isError=true endpoint. Attackers can leverage this vulnerability to inject malicious scripts, potentially compromising user sessions and data integrity. A patch is available in version 2.1.1.
Successful exploitation of CVE-2025-15170 allows an attacker to inject arbitrary JavaScript code into the GEMS ERP Portal. This can lead to various malicious outcomes, including session hijacking, defacement of the web application, and theft of sensitive user data such as login credentials or financial information. The remote nature of the vulnerability means an attacker doesn't require local access to the system. Given the ERP nature of the application, the potential blast radius extends to all data managed within the system, including customer records, financial transactions, and inventory data. The public disclosure of this vulnerability significantly increases the risk of exploitation.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The lack of response from the vendor raises concerns about the application's overall security posture. While no active exploitation campaigns have been publicly confirmed, the availability of the vulnerability details makes it a prime target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV, but the public disclosure warrants monitoring.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15170 is to upgrade GEMS ERP Portal to version 2.1.1 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to filter requests to the /home.jsp?isError=true endpoint, specifically blocking requests with manipulated 'Message' parameters. Input validation on the server-side, specifically sanitizing user-supplied input before rendering it in the response, can also help prevent XSS attacks. Regularly review and update the application's security configuration to minimize the attack surface.
Update GEMS ERP Portal to a version later than 2.1 that fixes the Cross-Site Scripting (XSS) vulnerability. If no version is available, contact the vendor (Advaya Softech) for a security patch. As a temporary measure, validate and escape all user inputs in the /home.jsp file to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15170 is a cross-site scripting (XSS) vulnerability affecting GEMS ERP Portal versions 2.0 and 2.1, allowing attackers to inject malicious scripts via the /home.jsp endpoint.
You are affected if you are using GEMS ERP Portal versions 2.0 or 2.1. Upgrade to version 2.1.1 or later to mitigate the risk.
The recommended fix is to upgrade to GEMS ERP Portal version 2.1.1 or later. As a temporary workaround, implement a WAF rule to filter suspicious requests.
While no active exploitation campaigns have been publicly confirmed, the public disclosure of the vulnerability increases the risk of exploitation.
Refer to the Advaya Softech website or contact their support for the official advisory regarding CVE-2025-15170.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.