Lucene search

K
certCERTVU:660597
HistoryApr 06, 2020 - 12:00 a.m.

Periscope BuySpeed is vulnerable to stored cross-site scripting

2020-04-0600:00:00
www.kb.cert.org
23

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L

EPSS

0.001

Percentile

23.3%

Overview

Periscope BuySpeed version 14.5 is vulnerable to stored cross-site scripting, which may allow a local, authenticated attacker to execute arbitrary JavaScript.

Description

Periscope BuySpeed is a β€œtool to automate the full procure-to-pay process efficiently and intelligently”. BuySpeed version 14.5 is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to store arbitrary JavaScript within the application. This JavaScript is subsequently displayed by the application without sanitization, leading to it executing in the browser of the user. This could potentially allow for website redirection, session hijacking, or information disclosure.


Impact

A local, authenticated attacker could add arbitrary JavaScript within the application that would execute in the browser of any user that views it, which potentially allows for website redirection, session hijacking, or information disclosure.


Solution

This vulnerability has been corrected in BuySpeed version 15.3.


Vendor Information

660597

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Periscope Holdings __ Affected

Notified: June 26, 2019 Updated: April 10, 2020

Statement Date: November 01, 2019

Status

Affected

Vendor Statement

Periscope Holdings, Inc. takes cybersecurity very seriously, including the report of this vulnerability by Carnegie Mellon’s CERT Coordination Center. Our team was aware of this vulnerability prior to CERT’s notification on April 6, 2020 and had already developed remediation and made this available to customers in BuySpeed version 15.3.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 3.2 AV:L/AC:L/Au:S/C:N/I:P/A:P
Temporal 2.9 E:POC/RL:U/RC:C
Environmental 0.9 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This document was written by Laurie Tyzenhaus.

Other Information

CVE IDs: CVE-2020-9056
Date Public: 2020-04-06 Date First Published:

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L

EPSS

0.001

Percentile

23.3%

Related for VU:660597