CVE-2020-13893

Name of the Vulnerable Software and Affected Versions Sage EasyPay version 10.7.5.10

Description The issue allows authenticated attackers to inject arbitrary web script or HTML via multiple parameters through Unicode Transformations (Best-fit Mapping), as demonstrated by the full-width variants of the less-than sign (%EF%BC%9C) and greater-than sign (%EF%BC%9E). This is a stored cross-site scripting (XSS) issue.

Recommendations For Sage EasyPay version 10.7.5.10, consider restricting access to parameters that allow Unicode Transformations (Best-fit Mapping) to minimize the risk of exploitation. As a temporary workaround, avoid using parameters that can be used to inject arbitrary web script or HTML until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.