usd-2022-0058 | Stored XSS in Client Name in CPTO 6.3.8.6

Advisory ID: usd-2022-0058
Product: Cash Point & Transport Optimizer CPTO
Affected Version: 6.3.8.6 (#718) 06.07.2021
Vulnerability Type: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: Medium
Vendor URL: https://www.sesami.io/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-31297
CVE Link: Pending

Description

An admin user can exploit all other users that are assigned to the same client by inserting a JavaScript into the Name field of a client. The payload triggers whenever the client selection, the licenses or the homepage are browsed.

Fix

Users should update CPTO to its current version.

User-supplied input should always be sanitized.

References

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Timeline

  • 2022-11-03: Vulnerabilities discovered by Marcus Nilsson.
  • 2022-11-28: The Responsible Disclosure tries to establish contact with vendor for the first time.
  • 2023-04-27: CVE IDs are requested and subsequently reserved.
  • 2023-05-12: Trying to establish contact via phone and email has been unsucessful, usd AG's customer notifies the team that vulnerabilities should by fixed come autumn.
  • 2023-11-23: Marcus Nilsson got in touch with vendor, the advisories shall be published without a Proof-Of-Concept of the exploits in December.
  • 2023-12-21: Advisory published by usd AG.

Credits

This security vulnerability was found by Marcus Nilsson of usd AG.