CVE-2020-26583

Name of the Vulnerable Software and Affected Versions Sage DPW versions prior to 2020 06 002

Description The issue allows unauthenticated users to upload JavaScript files via the expenses claiming functionality, although authentication is required to view the file. This enables an attacker to persistently include arbitrary HTML or JavaScript code into the affected web page, potentially changing the site's contents, redirecting users to other sites, or stealing user credentials. Users may also be vulnerable to browser exploits and JavaScript malware.

Recommendations For versions prior to 2020 06 002, update to version 2020 06 002 or later to resolve the issue. As a temporary workaround, consider restricting access to the expenses claiming functionality to prevent unauthenticated users from uploading malicious files.