webERP is prone to information-disclosure, SQL-injection, and cross- site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may exploit the information-disclosure issue to gain access to sensitive information that may lead to further attacks. An attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie- based authentication credentials and launch other attacks. webERP 4.0.5 is vulnerable prior versions may also be affected.

Vendor updates are available. Please see the references for more information.

• http://www.securityfocus.com/archive/1/520561
• http://www.securityfocus.com/bid/50713
• https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_weberp.html

---

Updated on 2017-03-28