Platform
java
Component
gems-erp-portal
Opgelost in
2.0.1
2.1.1
A cross-site scripting (XSS) vulnerability has been identified in Advaya Softech's GEMS ERP Portal, impacting versions 2.0 and 2.1. This flaw resides within the Error Message Handler component, specifically the /home.jsp?isError=true endpoint. Attackers can leverage this vulnerability to inject malicious scripts, potentially compromising user sessions and data integrity. A patch is available in version 2.1.1.
Successful exploitation of CVE-2025-15170 allows an attacker to inject arbitrary JavaScript code into the GEMS ERP Portal. This can lead to various malicious outcomes, including session hijacking, defacement of the web application, and theft of sensitive user data such as login credentials or financial information. The remote nature of the vulnerability means an attacker doesn't require local access to the system. Given the ERP nature of the application, the potential blast radius extends to all data managed within the system, including customer records, financial transactions, and inventory data. The public disclosure of this vulnerability significantly increases the risk of exploitation.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The lack of response from the vendor raises concerns about the application's overall security posture. While no active exploitation campaigns have been publicly confirmed, the availability of the vulnerability details makes it a prime target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV, but the public disclosure warrants monitoring.
Organizations utilizing GEMS ERP Portal versions 2.0 and 2.1, particularly those with sensitive data or critical business processes managed within the system, are at significant risk. Shared hosting environments where multiple tenants share the same server instance are also particularly vulnerable, as a compromise of one tenant could potentially impact others.
• java / web server: Monitor access logs for requests to /home.jsp?isError=true with unusual or suspicious parameters in the Message field. Look for patterns indicative of script injection (e.g., <script>, javascript:, eval()).
grep 'GET /home.jsp\?isError=true.*Message=' /var/log/apache2/access.log• generic web: Use curl to test the endpoint with various payloads to see if they are reflected in the response.
curl 'http://<target>/home.jsp?isError=true&Message=<script>alert(1)</script>' | grep '<script>'• generic web: Check response headers for unusual content-security-policy directives that might be bypassed.
curl -I http://<target>/home.jsp?isError=true | grep Content-Security-Policydisclosure
patch
Exploit Status
EPSS
0.05% (14% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-15170 is to upgrade GEMS ERP Portal to version 2.1.1 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to filter requests to the /home.jsp?isError=true endpoint, specifically blocking requests with manipulated 'Message' parameters. Input validation on the server-side, specifically sanitizing user-supplied input before rendering it in the response, can also help prevent XSS attacks. Regularly review and update the application's security configuration to minimize the attack surface.
Werk GEMS ERP Portal bij naar een versie later dan 2.1 die de Cross-Site Scripting (XSS) kwetsuur verhelpt. Indien er geen versie beschikbaar is, neem dan contact op met de leverancier (Advaya Softech) voor een beveiligingspatch. Als tijdelijke maatregel, valideer en escape alle gebruikersinvoer in het bestand /home.jsp om de injectie van kwaadaardige code te voorkomen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-15170 is a cross-site scripting (XSS) vulnerability affecting GEMS ERP Portal versions 2.0 and 2.1, allowing attackers to inject malicious scripts via the /home.jsp endpoint.
You are affected if you are using GEMS ERP Portal versions 2.0 or 2.1. Upgrade to version 2.1.1 or later to mitigate the risk.
The recommended fix is to upgrade to GEMS ERP Portal version 2.1.1 or later. As a temporary workaround, implement a WAF rule to filter suspicious requests.
While no active exploitation campaigns have been publicly confirmed, the public disclosure of the vulnerability increases the risk of exploitation.
Refer to the Advaya Softech website or contact their support for the official advisory regarding CVE-2025-15170.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.