usd-2022-0056 | Reflected XSS in Teller in CPTO 6.3.8.6
Advisory ID: usd-2022-0056
Product: Cash Point & Transport Optimizer CPTO
Affected Version: 6.3.8.6 (#718) 06.07.2021
Vulnerability Type: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: Medium
Vendor URL: https://www.sesami.io/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-31302
CVE Link: Pending
Description
An XSS payload inserted into the Teller field executes in the browser when the Select button is pushed.
Fix
Users should update CPTO to its current version.
User-supplied input should always be sanitized.
References
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Timeline
- 2022-11-03: Vulnerabilities discovered by Marcus Nilsson.
- 2022-11-28: The Responsible Disclosure tries to establish contact with vendor for the first time.
- 2023-04-27: CVE IDs are requested and subsequently reserved.
- 2023-05-12: Trying to establish contact via phone and email has been unsucessful, usd AG's customer notifies the team that vulnerabilities should by fixed come autumn.
- 2023-11-23: Marcus Nilsson got in touch with vendor, the advisories shall be published without a Proof-Of-Concept of the exploits in December.
- 2022-12-21: Advisory published by usd AG.
Credits
This security vulnerability was found by Marcus Nilsson of usd AG.