usd-2022-0060 | Stored XSS in User ID in CPTO 6.3.8.6

Advisory ID: usd-2022-0060
Product: Cash Point & Transport Optimizer CPTO
Affected Version: 6.3.8.6 (#718) 06.07.2021
Vulnerability Type: CWE 79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: Medium
Vendor URL: https://www.sesami.io/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-31298
CVE Link: Pending

 

Description

An admin user can exploit new system users or other admin users by creating a new system user and injecting JavaScript into the User ID field. The payload triggers when the new user needs to change the password upon logging in the first time. Furthermore, the payload triggers once the new user is logged in. Additionally, the payload triggers when a different admin user views the application log.

Fix

Users should update CPTO to its current version.

User-supplied input should always be sanitized.

References

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Timeline

  • 2022-11-03: Vulnerabilities discovered by Marcus Nilsson.
  • 2022-11-28: The Responsible Disclosure tries to establish contact with vendor for the first time.
  • 2023-04-27: CVE IDs are requested and subsequently reserved.
  • 2023-05-12: Trying to establish contact via phone and email has been unsucessful, usd AG's customer notifies the team that vulnerabilities should by fixed come autumn.
  • 2023-11-23: Marcus Nilsson got in touch with vendor, the advisories shall be published without a Proof-Of-Concept of the exploits in December.
  • 2023-12-21: Advisory published by usd AG.

Credits

This security vulnerability was found by Marcus Nilsson of usd AG.