PatchSiren cyber security CVE debrief

CVE-2023-5989 Uyumsoft Information System and Technologies CVE debrief

CVE-2023-5989 describes a stored cross-site scripting (XSS) issue in Uyumsoft Information System and Technologies' LioXERP before v0.146. The supplied description says an authenticated user can execute stored XSS, while the NVD record assigns a network-reachable CVSS 3.1 score of 6.1 with user interaction required. Because stored XSS can affect other users who view the injected content, this issue should be treated as a real client-side compromise risk in affected LioXERP deployments.

Vendor: Uyumsoft Information System and Technologies
Product: LioXERP
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-12-21
Original CVE updated: 2026-05-20
Advisory published: 2023-12-21
Advisory updated: 2026-05-20

Who should care

Security teams and administrators responsible for Uyumsoft LioXERP deployments, especially where authenticated users can create or edit content that other users may later view.

Technical summary

The vulnerability is classified as Improper Neutralization of Input During Web Page Generation (CWE-79). NVD lists the affected CPE as Uyumsoft LioXERP versions prior to 0.146. The CVSS vector provided by NVD is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a network-reachable issue that depends on user interaction and can impact confidentiality and integrity in the browser context. The supplied description characterizes the flaw as stored XSS and notes authenticated-user involvement; the source set does not provide a vendor patch advisory beyond the version boundary.

Defensive priority

Medium. The issue is not rated as availability-impacting, but stored XSS can enable session abuse, content manipulation, and phishing-style activity against users of the application.

Recommended defensive actions

Identify all LioXERP instances and determine whether any are running versions earlier than 0.146.
Prioritize upgrading or otherwise remediating affected instances to a fixed version at or above 0.146.
Review application areas where user-supplied content is stored and later rendered, and ensure output encoding and input handling are consistently applied.
If remediation is not immediately possible, restrict who can submit content and monitor for suspicious user-generated entries or unexpected script-bearing fields.
After remediation, validate that pages rendering user input no longer execute injected script content in normal browser use.

Evidence notes

Supplied source data ties the issue to Uyumsoft LioXERP before v0.146 and labels it CWE-79. The NVD record provides the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The description supplied in the prompt says the flaw allows an authenticated user to execute stored XSS, which differs from the NVD privileges-required value of PR:N; treat the prerequisite detail cautiously. The source set includes USOM references and official CVE/NVD records, but no direct vendor remediation bulletin was provided.

Official resources

CVE-2023-5989 CVE record
CVE.org
CVE-2023-5989 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory

Publicly disclosed on 2023-12-21T10:15:37.990Z; the supplied record was last modified on 2026-05-20T14:16:34.713Z.