Stored Cross-Site Scripting (XSS) in the Multi-purpose Inventory Management System
Multi-Purpose Inventory Management System
INCIBE has coordinated the publication of a medium-severity vulnerability affecting Multi-Purpose Inventory Management System, a software for managing business operations. The vulnerability was discovered by Gonzalo Aguilar García (6h4ack).
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2025-40641: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
No solution has been reported at this time.
CVE-2025-40641: Cross-site Scripting (XSS) vulnerability stored in Multi-Purpose Inventory Management System, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request using the product_name parameter in /Controller_Products/update. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
