{"id":16679,"date":"2021-07-08T11:55:04","date_gmt":"2021-07-08T09:55:04","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0029\/"},"modified":"2024-06-24T16:25:23","modified_gmt":"2024-06-24T14:25:23","slug":"usd-2020-0029","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0029\/","title":{"rendered":"usd-2020-0029"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.25.2\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2020-0029 | NeoPost Mail Accounting Software Pro 5.0.6<\/span><\/h1>\n<p><strong>Advisory ID<\/strong>: usd-2020-0029<br \/><strong>CVE Number<\/strong>: CVE-2020-27974<br \/><strong>Affected Product<\/strong>: NeoPost Mail Accounting Software Pro<br \/><strong>Affected Version<\/strong>: 5.0.6<br \/><strong>Vulnerability Type<\/strong>: Reflected XSS<br \/><strong>Security Risk<\/strong>: High<br \/><strong>Vendor URL<\/strong>: <a href=\"https:\/\/mail.quadient.com\/de\/homepage\" target=\"_blank\" rel=\"noopener\">https:\/\/www.neopost.de\/<\/a><br \/><strong>Vendor Status<\/strong>: Not fixed<\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p><span>Reflected XSS attack (or non-persistent attack) occurs when a malicious script is reflected off of a web application to the victims browser. The attack is typically delivered via email or a web site and activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.<\/span><\/p>\n<p><span><\/span><\/p>\n<h3>Proof of Concept (PoC)<\/h3>\n<p><span>The XSS attack was possible via the following url: <\/span><code>http:\/\/localhost\/php\/Commun\/FUS_SCM_BlockStart.php?code=%3Cscript%3Ealert(%27XSS%27)%3C\/script%3E<\/code><\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<p><span>Make sure to encode and\/or filter the user supplied input.<\/span><\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>020-03-25 This vulnerability was found during a Penetration Test on one of our customers<\/li>\n<li>2020-03-26 First attempt to contact vendor<\/li>\n<li>2020-05-14 Second attempt to contact vendor<\/li>\n<li>2020-08-06 Third attempt to contact vendor<\/li>\n<li>2020-09-23 Vendor was informed of upcoming release<\/li>\n<li>2020-10-27 Security Advisory released<\/li>\n<\/ul>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p><span>This security vulnerability was found by Tim Kranz and Lars Neumann of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2020-0029 | NeoPost Mail Accounting Software Pro 5.0.6 Advisory ID: usd-2020-0029CVE Number: CVE-2020-27974Affected Product: NeoPost Mail Accounting Software ProAffected Version: 5.0.6Vulnerability Type: Reflected XSSSecurity Risk: HighVendor URL: https:\/\/www.neopost.de\/Vendor Status: Not fixed Description Reflected XSS attack (or non-persistent attack) occurs when a malicious script is reflected off of a web application to the victims browser. The [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16679","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16679","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16679"}],"version-history":[{"count":1,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16679\/revisions"}],"predecessor-version":[{"id":22788,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16679\/revisions\/22788"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}