PT-2020-10353 · Treasuryxpress · Treasuryxpress

Published

2020-08-20

Updated

2020-08-24

CVE-2019-20152

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions TreasuryXpress version 19191105

Description A security issue was discovered due to the lack of filtering and sanitization of user input, allowing malicious JavaScript to be executed throughout the application. This can be achieved by injecting a malicious payload within the Custom Workflow component via the Create New Workflow field, which then executes the payload via the navigation bar throughout the application.

Recommendations For TreasuryXpress version 19191105, as a temporary workaround, consider disabling the Custom Workflow component until a patch is available. Restrict access to the Create New Workflow field to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-20152

Affected Products

Treasuryxpress

PT-2020-10353 · Treasuryxpress · Treasuryxpress

CVE-2019-20152

Weakness Enumeration

Related Identifiers

Affected Products

References · 3