usd-2022-0059 | Stored XSS in Login Form in CPTO 6.3.8.6

Advisory ID: usd-2022-0059
Product: Cash Point & Transport Optimizer CPTO
Affected Version: 6.3.8.6 (#718) 06.07.2021
Vulnerability Type: CWE 79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: Medium
Vendor URL: https://www.sesami.io/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-31301
CVE Link: Pending

Description

An unauthenticated user can exploit an admin user via the login form and the application log. This is
possible by inserting a JavaScript payload into the Username field. The JavaScript payload is triggered when the admin user views the application log, where authentication attempts, invalid and blacklisted user IDs are displayed.

Fix

Users should update CPTO to its current version.

User-supplied input should always be sanitized.

References

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Timeline

  • 2022-11-03: Vulnerabilities discovered by Marcus Nilsson.
  • 2022-11-28: The Responsible Disclosure tries to establish contact with vendor for the first time.
  • 2023-04-27: CVE IDs are requested and subsequently reserved.
  • 2023-05-12: Trying to establish contact via phone and email has been unsucessful, usd AG's customer notifies the team that vulnerabilities should by fixed come autumn.
  • 2023-11-23: Marcus Nilsson got in touch with vendor, the advisories shall be published without a Proof-Of-Concept of the exploits in December.
  • 2023-12-21: Advisory published by usd AG.

Credits

This security vulnerability was found by Marcus Nilsson of usd AG.