Versiant LYNX Customer Service Portal is vulnerable to stored cross-site scripting

2020-03-3000:00:00

www.kb.cert.org

0.001 Low

EPSS

Percentile

20.2%

JSON

Overview

The Versiant LYNX Customer Service Portal version 3.5.2 is vulnerable to stored cross-site scripting, which may allow a local, authenticated attacker to execute arbitrary JavaScript.

Description

The Versiant LYNX Customer Service Portal (CSP) is a “full-service customer portal that provides real-time information to terminal operators on the status of shipments into and out of a marine container terminal”. The LYNX CSP, version 3.5.2, is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to insert malicious JavaScript that is stored and displayed to the end user.

Impact

A local, authenticated attacker could store malicious JavaScript in the CSP that would execute JavaScript in the browser of any user that views it. This could lead to website redirects, session cookie hijacking, or information disclosure.

Solution

Apply an update

This vulnerability has been patched in version 3.5.3 of Versiant LYNX Customer Service Portal. Customers should log into the Lynx customer portal to obtain the latest version.

Vendor Information

962085

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Versiant __ Affected

Notified: June 26, 2019 Updated: March 27, 2020

Statement Date: March 25, 2020

Status

Affected

Vendor Statement

This item has since been resolved in Lynx version 3.5.3.

Special characters are prevented from being input from user forms. Form input values are being sanitized/escaped now to prevent this vulnerability if special characters are needed for input.