平台
java
组件
gems-erp-portal
修复版本
2.0.1
2.1.1
A cross-site scripting (XSS) vulnerability has been identified in Advaya Softech's GEMS ERP Portal, impacting versions 2.0 and 2.1. This flaw resides within the Error Message Handler component, specifically the /home.jsp?isError=true endpoint. Attackers can leverage this vulnerability to inject malicious scripts, potentially compromising user sessions and data integrity. A patch is available in version 2.1.1.
Successful exploitation of CVE-2025-15170 allows an attacker to inject arbitrary JavaScript code into the GEMS ERP Portal. This can lead to various malicious outcomes, including session hijacking, defacement of the web application, and theft of sensitive user data such as login credentials or financial information. The remote nature of the vulnerability means an attacker doesn't require local access to the system. Given the ERP nature of the application, the potential blast radius extends to all data managed within the system, including customer records, financial transactions, and inventory data. The public disclosure of this vulnerability significantly increases the risk of exploitation.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The lack of response from the vendor raises concerns about the application's overall security posture. While no active exploitation campaigns have been publicly confirmed, the availability of the vulnerability details makes it a prime target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV, but the public disclosure warrants monitoring.
Organizations utilizing GEMS ERP Portal versions 2.0 and 2.1, particularly those with sensitive data or critical business processes managed within the system, are at significant risk. Shared hosting environments where multiple tenants share the same server instance are also particularly vulnerable, as a compromise of one tenant could potentially impact others.
• java / web server: Monitor access logs for requests to /home.jsp?isError=true with unusual or suspicious parameters in the Message field. Look for patterns indicative of script injection (e.g., <script>, javascript:, eval()).
grep 'GET /home.jsp\?isError=true.*Message=' /var/log/apache2/access.log• generic web: Use curl to test the endpoint with various payloads to see if they are reflected in the response.
curl 'http://<target>/home.jsp?isError=true&Message=<script>alert(1)</script>' | grep '<script>'• generic web: Check response headers for unusual content-security-policy directives that might be bypassed.
curl -I http://<target>/home.jsp?isError=true | grep Content-Security-Policydisclosure
patch
漏洞利用状态
EPSS
0.05% (14% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-15170 is to upgrade GEMS ERP Portal to version 2.1.1 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to filter requests to the /home.jsp?isError=true endpoint, specifically blocking requests with manipulated 'Message' parameters. Input validation on the server-side, specifically sanitizing user-supplied input before rendering it in the response, can also help prevent XSS attacks. Regularly review and update the application's security configuration to minimize the attack surface.
将 GEMS ERP Portal 更新到 2.1 之后的版本,以修复跨站脚本 (XSS) 漏洞。 如果没有可用版本,请联系供应商 (Advaya Softech) 以获取安全补丁。 作为临时措施,请验证和转义 /home.jsp 文件中的所有用户输入,以防止恶意代码注入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-15170 is a cross-site scripting (XSS) vulnerability affecting GEMS ERP Portal versions 2.0 and 2.1, allowing attackers to inject malicious scripts via the /home.jsp endpoint.
You are affected if you are using GEMS ERP Portal versions 2.0 or 2.1. Upgrade to version 2.1.1 or later to mitigate the risk.
The recommended fix is to upgrade to GEMS ERP Portal version 2.1.1 or later. As a temporary workaround, implement a WAF rule to filter suspicious requests.
While no active exploitation campaigns have been publicly confirmed, the public disclosure of the vulnerability increases the risk of exploitation.
Refer to the Advaya Softech website or contact their support for the official advisory regarding CVE-2025-15170.
上传你的 pom.xml 文件,立即知道是否受影响。