CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
EPSS
Percentile
23.3%
Periscope BuySpeed version 14.5 is vulnerable to stored cross-site scripting, which may allow a local, authenticated attacker to execute arbitrary JavaScript.
Periscope BuySpeed is a βtool to automate the full procure-to-pay process efficiently and intelligentlyβ. BuySpeed version 14.5 is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to store arbitrary JavaScript within the application. This JavaScript is subsequently displayed by the application without sanitization, leading to it executing in the browser of the user. This could potentially allow for website redirection, session hijacking, or information disclosure.
A local, authenticated attacker could add arbitrary JavaScript within the application that would execute in the browser of any user that views it, which potentially allows for website redirection, session hijacking, or information disclosure.
This vulnerability has been corrected in BuySpeed version 15.3.
660597
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 26, 2019 Updated: April 10, 2020
Statement Date: November 01, 2019
Affected
Periscope Holdings, Inc. takes cybersecurity very seriously, including the report of this vulnerability by Carnegie Mellonβs CERT Coordination Center. Our team was aware of this vulnerability prior to CERTβs notification on April 6, 2020 and had already developed remediation and made this available to customers in BuySpeed version 15.3.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 3.2 | AV:L/AC:L/Au:S/C:N/I:P/A:P |
Temporal | 2.9 | E:POC/RL:U/RC:C |
Environmental | 0.9 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
This document was written by Laurie Tyzenhaus.
CVE IDs: | CVE-2020-9056 |
---|---|
Date Public: | 2020-04-06 Date First Published: |
cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
cwe.mitre.org/data/definitions/79.html
nvd.nist.gov/vuln/detail/CVE-2020-9056
support.buyspeed.com/hc/en-us/articles/360035773831-Buyspeed-15-3-0-Release-Notes
www.owasp.org/index.php/Cross-site_Scripting_(XSS)#Stored_and_Reflected_XSS_Attacks
www.periscopeholdings.com/buyspeed
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
EPSS
Percentile
23.3%