This vulnerability allows an attacker to inject malicious script into the client browser through the /accounts/mr-save component of Devs Palace ERP Online. The injected code can execute in the context of any user viewing the affected page, enabling theft of session cookies, data exfiltration, or defacement. The weakness is a classic Reflected or Stored XSS flaw, as catalogued by CWE‑79; the presence of separate CWE‑94 suggests that the code may also process user input as executable code, further reducing the developer’s ability to safely sanitize the input. The CVSS score of 4.8 indicates that the flaw is considered low‑severity, but once exploited it can expose confidential data to every web user that visits the affected page.

Devs Palace ERP Online versions up to 4.0.0 are affected. No specific patch version is identified in the advisory, and the vendor has not responded to the disclosure.

The CVSS score of 4.8 indicates a low‑severity vulnerability; EPSS is not available, and the advisory is not listed in the CISA KEV catalog. The likely attack vector is a remote user submitting a crafted request to the mr‑save endpoint, whereby unsanitized or improperly encoded input allows script injection. The remote nature of the exploit and the lack of defensive controls means that any authenticated or unauthenticated user who receives the rendered page could be impacted. While the low score suggests a moderate risk, the simplicity of an XSS payload and the public disclosure increase the likelihood that organizations will be targeted by scripted attacks.