CVE-2019-17551

Name of the Vulnerable Software and Affected Versions Apak Wholesale Floorplanning Finance versions 6.31.8.3 through 6.31.8.5

Description The issue allows an attacker to send an authenticated POST request with a malicious payload to "/WFS/agreementView.faces" which enables a stored XSS via the mainForm:loanNotesnotes:0:rich text editor note text parameter in the Notes section. All versions with the vulnerable WYSIWYG editor in the Notes section are likely affected.

Recommendations For versions 6.31.8.3 and 6.31.8.5, consider disabling the WYSIWYG editor in the Notes section until a patch is available. Restrict access to the "/WFS/agreementView.faces" endpoint to minimize the risk of exploitation. Avoid using the mainForm:loanNotesnotes:0:rich text editor note text parameter in the affected API endpoint until the issue is resolved.