usd-2022-0059 | Stored XSS in Login Form in CPTO

Advisory ID: usd-2022-0059
Product: Cash Point & Transport Optimizer CPTO
Affected Version: (#718) 06.07.2021
Vulnerability Type: CWE 79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: Medium
Vendor URL:
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-31301
CVE Link: Pending


An unauthenticated user can exploit an admin user via the login form and the application log. This is
possible by inserting a JavaScript payload into the Username field. The JavaScript payload is triggered when the admin user views the application log, where authentication attempts, invalid and blacklisted user IDs are displayed.


Users should update CPTO to its current version.

User-supplied input should always be sanitized.



  • 2022-11-03: Vulnerabilities discovered by Marcus Nilsson.
  • 2022-11-28: The Responsible Disclosure tries to establish contact with vendor for the first time.
  • 2023-04-27: CVE IDs are requested and subsequently reserved.
  • 2023-05-12: Trying to establish contact via phone and email has been unsucessful, usd AG's customer notifies the team that vulnerabilities should by fixed come autumn.
  • 2023-11-23: Marcus Nilsson got in touch with vendor, the advisories shall be published without a Proof-Of-Concept of the exploits in December.
  • 2023-12-21: Advisory published by usd AG.


This security vulnerability was found by Marcus Nilsson of usd AG.