CVE-2023-30454

Name of the Vulnerable Software and Affected Versions ebankIT versions prior to 7

Description An issue exists where Document Object Model based XSS is present within the "/Security/Transactions/Transactions.aspx" endpoint. Users can supply their own JavaScript within the ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray POST parameter that will be passed to an eval() function and executed upon pressing the continue button.

Recommendations For versions prior to 7, as a temporary workaround, consider disabling the eval() function until a patch is available. Restrict access to the "/Security/Transactions/Transactions.aspx" endpoint to minimize the risk of exploitation. Avoid using the ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray parameter in the affected endpoint until the issue is resolved.