MidnightBSD

Advisories for inoideas

CVE-2019-16894 HIGH

download.php in inoERP 4.15 allows SQL injection through insecure deserialization.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,CWE-502,

Products Affected

Vendor Product Version
inoideas inoerp 4.15
CVE-2019-25312

InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. Attackers can submit comments with JavaScript payloads that execute in other users' browsers, potentially stealing cookies and session information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7

Products Affected

Vendor Product Version
inoideas inoerp 0.7.2
CVE-2020-28870 HIGH

In InoERP 0.7.2, an unauthorized attacker can execute arbitrary code on the server side due to lack of validations in /modules/sys/form_personalization/json_fp.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-94,

Products Affected

Vendor Product Version
inoideas inoerp 0.7.2