CVE-2025-22917
Description
A reflected cross-site scripting (XSS) vulnerability in Audemium ERP <=0.9.0 allows remote attackers to execute an arbitrary JavaScript payload in the web browser of a user by including a malicious payload into the 'type' parameter of list.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Audemium ERP ≤0.9.0 has a reflected XSS via the `type` parameter in `list.php`, enabling arbitrary JavaScript execution in a victim's browser.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in Audemium ERP versions ≤0.9.0. The list.php script directly echoes the GET type parameter value into the page without proper sanitization or encoding, allowing an attacker to inject arbitrary HTML and JavaScript [1].
Exploitation
An attacker can craft a malicious URL containing a JavaScript payload in the type parameter (e.g., list.php?type=) and trick an authenticated user into visiting it. The injected script executes in the context of the user's session, inheriting any privileges the user holds within the ERP application [1].
Impact
Successful exploitation allows execution of arbitrary JavaScript in the victim's browser. An attacker could steal session cookies, perform actions on behalf of the user, deface pages, or redirect the user to malicious sites, potentially leading to account takeover or data exfiltration [1].
Mitigation
The vendor has been notified, and contributors recommend input sanitization and the addition of a Web Application Firewall (WAF) to mitigate the risk. Users should upgrade to a patched version if available or apply manual input validation on the type parameter [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.