usd-2022-0056 | Reflected XSS in Teller in CPTO 6.3.8.6

Advisory ID: usd-2022-0056
Product: Cash Point & Transport Optimizer CPTO
Affected Version: 6.3.8.6 (#718) 06.07.2021
Vulnerability Type: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: Medium
Vendor URL: https://www.sesami.io/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-31302
CVE Link: Pending

Description

An XSS payload inserted into the Teller field executes in the browser when the Select button is pushed.

Fix

Users should update CPTO to its current version.

User-supplied input should always be sanitized.

References

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Timeline

2022-11-03: Vulnerabilities discovered by Marcus Nilsson.
2022-11-28: The Responsible Disclosure tries to establish contact with vendor for the first time.
2023-04-27: CVE IDs are requested and subsequently reserved.
2023-05-12: Trying to establish contact via phone and email has been unsucessful, usd AG's customer notifies the team that vulnerabilities should by fixed come autumn.
2023-11-23: Marcus Nilsson got in touch with vendor, the advisories shall be published without a Proof-Of-Concept of the exploits in December.
2022-12-21: Advisory published by usd AG.

Credits

This security vulnerability was found by Marcus Nilsson of usd AG.

usd-2022-0056 | Reflected XSS in Teller in CPTO 6.3.8.6

Description

Fix

References

Timeline

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

Contact

Follow Us

LabNews

Security Advisories for SONIX and SAP

The Surprising Complexity of Finding Known Vulnerabilities

Security Advisories for Zimperium and FileCloud