The Versiant LYNX Customer Service Portal version 3.5.2 is vulnerable to stored cross-site scripting, which may allow a local, authenticated attacker to execute arbitrary JavaScript.
The Versiant LYNX Customer Service Portal (CSP) is a “full-service customer portal that provides real-time information to terminal operators on the status of shipments into and out of a marine container terminal”. The LYNX CSP, version 3.5.2, is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to insert malicious JavaScript that is stored and displayed to the end user.
A local, authenticated attacker could store malicious JavaScript in the CSP that would execute JavaScript in the browser of any user that views it. This could lead to website redirects, session cookie hijacking, or information disclosure.
Apply an update
This vulnerability has been patched in version 3.5.3 of Versiant LYNX Customer Service Portal. Customers should log into the Lynx customer portal to obtain the latest version.
962085
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 26, 2019 Updated: March 27, 2020
Statement Date: March 25, 2020
Affected
This item has since been resolved in Lynx version 3.5.3.
Special characters are prevented from being input from user forms. Form input values are being sanitized/escaped now to prevent this vulnerability if special characters are needed for input.
To obtain the latest version, users should log into the Lynx customer portal at https://csp.poha.com/.
Group | Score | Vector |
---|---|---|
Base | 3.2 | AV:L/AC:L/Au:S/C:N/I:P/A:P |
Temporal | 2.9 | E:POC/RL:U/RC:C |
Environmental | 0.9 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
This document was written by Laurie Tyzenhaus.
CVE IDs: | CVE-2020-9055 |
---|---|
Date Public: | 2020-03-30 Date First Published: |