PT-2020-10352 · Treasuryxpress · Treasuryxpress
Published
2020-08-20
·
Updated
2020-08-24
·
CVE-2019-20151
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
TreasuryXpress version 19191105
Description
A security issue was discovered due to the lack of filtering and sanitization of user input, allowing malicious JavaScript to be executed by the application's administrator(s). A malicious payload can be injected within the Multi Approval security component via the
Note field, resulting in the payload being executed by the application's administrator(s).Recommendations
For TreasuryXpress version 19191105, as a temporary workaround, consider disabling the Note field in the Multi Approval security component to prevent malicious payload injection until a fix is available. Restrict access to the Multi Approval security component to minimize the risk of exploitation. Avoid using the
Note field in the affected component until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Treasuryxpress