usd-2020-0029 | NeoPost Mail Accounting Software Pro 5.0.6
Advisory ID: usd-2020-0029
CVE Number: CVE-2020-27974
Affected Product: NeoPost Mail Accounting Software Pro
Affected Version: 5.0.6
Vulnerability Type: Reflected XSS
Security Risk: High
Vendor URL: https://www.neopost.de/
Vendor Status: Not fixed
Reflected XSS attack (or non-persistent attack) occurs when a malicious script is reflected off of a web application to the victims browser. The attack is typically delivered via email or a web site and activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.
Proof of Concept (PoC)
The XSS attack was possible via the following url:
Make sure to encode and/or filter the user supplied input.
- 020-03-25 This vulnerability was found during a Penetration Test on one of our customers
- 2020-03-26 First attempt to contact vendor
- 2020-05-14 Second attempt to contact vendor
- 2020-08-06 Third attempt to contact vendor
- 2020-09-23 Vendor was informed of upcoming release
- 2020-10-27 Security Advisory released
This security vulnerability was found by Tim Kranz and Lars Neumann of usd AG.